Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates

Phishing pages don’t sit still anymore. They redirect, load scripts, harvest credentials through dynamic forms, and rebuild their DOM after the initial load — and most URL analysis workflows still only see the finish line, not the race. This June, ANY.RUN closed that gap directly inside the Interactive Sandbox and extended its automation reach with a new integration built for scale. 

Here’s what your team can put to work this month: full browser-level visibility for every URL analysis, a no-code path to embed ANY.RUN in Torq playbooks, and over 1,100 new detections across behavior signatures, Suricata rules, and YARA rules. 

Product Updates 

June’s releases focus on closing the visibility gap in phishing investigations and giving SOC and MSSP teams a faster route from alert to automated response. The headline update is in-browser data inspection, a new investigation layer in the Interactive Sandbox, alongside a new integration with the Torq AI SOC Platform. 

Closing the Phishing Blind Spot with In-Browser Data Inspection

Modern phishing campaigns rarely stop at a malicious URL. They rely on dynamic content, JavaScript, multi-stage redirects, credential harvesting forms, and browser-based tricks that often remain invisible to traditional analysis methods. 

This month, ANY.RUN introduced In-Browser Data Inspection, a new capability that captures browser-rendered content during URL analysis, revealing exactly what users would experience when interacting with a suspicious website. 

Instead of relying solely on page source or network data, analysts can now inspect: 

  • Fully rendered web pages and dynamic content; 
  • Phishing forms and credential collection attempts; 
  • Client-side JavaScript execution; 
  • Redirect chains and browser behavior; 
  • Hidden elements designed to evade detection.
See all URL details, DOM changes, network requests, and IOCs in one place 

For SOC analysts, this means fewer blind spots during phishing investigations and faster validation of suspicious URLs. 

For security managers and CISOs, it means higher confidence in phishing detection, quicker incident triage, and better protection against increasingly sophisticated browser-based attacks. 

Scaling Triage and Response with the ANY.RUN & Torq Integration

Alert volume keeps growing faster than SOC headcount, and every alert that lands without context costs an analyst time they don’t have. ANY.RUN’s new integration with the Torq AI SOC Platform puts conclusive malware and phishing verdicts directly into the automated workflows teams already build in Torq: no custom code, no months-long rollout. 

The integration ships with five ready-to-use Torq HyperAgents™ covering two workflow types: case-based templates that pull observables straight from an open Torq case for enrichment, and standalone sandbox workflows that accept a URL or file as input and return a full verdict, IOC list, and report link anywhere in a custom automation chain. Results — reputation data, threat names, tags, and structured JSON — land directly in Torq Case Management, ready to branch on. 

Teams integrating ANY.RUN into Torq gain: 

  • Faster incident resolution, with an average MTTR reduction of 21 minutes per case. 
  • Operational scaling without added headcount, as HyperAgents absorb routine Tier 1 enrichment work. 
  • Zero development overhead, with a no-code setup that’s live in minutes rather than months. 
  • Standardized investigation logic, so every alert is checked against the same high-fidelity criteria regardless of analyst experience. 
  • Higher ROI on existing tools, as ANY.RUN enriches the SIEM, EDR, and XDR data already flowing into Torq. 
ANY.RUN’s Sandbox provides fast case enrichment in Torq

The integration is available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, giving SOC and MSSP teams a direct path to scale triage and response without scaling the team itself. 

Experience the latest ANY.RUN capabilities.
Gain deeper browser visibility and accelerate investigations
with Torq-powered automation.



Integrate in your SOC


Threat Coverage Updates

Keeping pace with evolving malware remains a core priority for our detection team. During June, we significantly expanded threat coverage with:

  • 1,055 new Suricata rules,
  • 65 new behavior signatures,
  • 14 new YARA rules.

These additions improve detection across network traffic, behavioral activity, and malware samples, helping analysts identify emerging threats faster while increasing investigation accuracy. The continuous expansion of detection logic also strengthens the quality of intelligence powering ANY.RUN’s Interactive Sandbox and Threat Intelligence solutions.

New Behavior Signatures

The 65 new behavior signatures added this month target malware-specific activity helping analysts confirm what a sample actually does inside the sandbox, rather than inferring it from static traits alone. Coverage this month spans commodity stealers and loaders, RATs, and ransomware families active across recent phishing and malvertising campaigns.

Highlighted detections include: 

Cut response delays before threats become costly incidents.
Give your SOC faster, evidence-backed decisions



Integrate in your SOC


New Suricata Rules

A total of 1,055 new Suricata rules were implemented in June to improve visibility into malicious network activity, including:

  • Phishing Redirect Engine related URL (sid: 89003883) – Identifies various PhaaS operators’ infrastructure used as routing layer, delivering victim to specific phishkit landing pages.
  • Adobe-themed RMM phishing (sid: 84003399) – Tracks attempts to lure user into installing remote management tool, disguised as shared secure documents.
  • SilentNet CnC HTTP activity (sid: 84003444) – Detects SilentNet attempts to communicate with its C2-server.

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.

Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.

ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

This month in security with Tony Anscombe – June 2026 edition

Three-day patching deadlines, exposed fuel-tank systems, scams costing billions of dollars, and social media bans for children all gave Tony plenty to unpack in June 2026

WeLiveSecurity – ​Read More

Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed

For a US automotive manufacturer working with more than 200 active vendors, supplier file intake had become a growing security and cost challenge. Suspicious submissions often reached the SOC without enough context, forcing Tier 1 analysts to escalate most cases and slowing detection and response across the business. 

By introducing a scalable triage and analysis process with behavioral sandboxing and threat intelligence, the company made alert processing and threat analysis 2x faster, improved MTTD and MTTR, increased its detection rate, reduced escalation pressure, and analyzed hundreds of files every week without adding headcount.

A US Automotive Manufacturer Built Around a Large Supplier Ecosystem 

The company is a US-based automotive manufacturer operating within a highly interconnected supply chain. Its daily operations depend on continuous collaboration with more than 200 active vendors and third-party contractors. 

These external partners regularly exchange files with the organization to support ongoing manufacturing, technical, and business processes. This makes supplier communication essential to keeping operations moving, but it also creates a large and constantly changing entry point for risk. 

The SOC is responsible for protecting the company’s environment while ensuring legitimate supplier activity is not delayed. As the volume of incoming files grew, the team needed a way to analyzesubmissions consistently, improve detection and response speed, and reduce third-party exposure without increasing staffing costs. 

The Challenge: Supplier Files Were Entering Without a Consistent Analysis Process 

Before ANY.RUN, the company had no systematic process for analyzing files received from vendors and third-party contractors. 

US Manufacturer’s security challenges
US Manufacturer’s security challenges 

Existing security controls could flag a submission as suspicious, but they did not always show what the file would actually do after execution. Without behavioral evidence, analysts were left with incomplete indicators and uncertain verdicts.

“The volume itself was not the only challenge. The bigger issue was that analysts did not have enough context to quickly decide which supplier files were safe and which required further action.” 

Head of SOC, US automotive manufacturer 

This created several problems for the SOC:

A Security Gap in Supplier File Intake 

Files could enter the environment without passing through a dedicated behavioral analysis layer.

This limited the company’s ability to identify threats that appeared harmless during static inspection but revealed malicious activity only after execution.

For a manufacturer with a large supplier ecosystem, this created meaningful third-party risk. A compromised vendor could become an indirect route into the organization, even when the manufacturer’s own internal defenses remained strong.

High Escalation Rates 

Tier 1 analysts often lacked enough context to confidently close suspicious submissions. 

As a result, the majority of these files were escalated to more experienced analysts. Senior team members had to spend time reviewing cases that could have been resolved earlier with clearer evidence. 

Rising Investigation Costs 

The supplier network continued to generate a high volume of files. Handling that growth through manual investigation would have required more analyst hours and, eventually, additional headcount. 

Without a more scalable process, the company risked paying more just to maintain the same level of protection.

Longer Exposure to Potential Threats 

Every delay in validating a suspicious file extended the period during which the organization could not confidently allow, block, or contain it. 

In a manufacturing environment, a missed threat can affect more than an individual endpoint. It can disrupt operations, expose sensitive data, and weaken trust across the supplier network. 

Building a Scalable Supplier File Triage and Analysis Process with ANY.RUN 

The manufacturer introduced a consistent process for analyzing files received from vendors and third-party contractors. 

By combining behavioral analysis with threat intelligence, the SOC gained both the evidence needed to understand what a file does and the context required to assess the wider threat behind it. 

“We have over 200 active vendors sending files into the environment. ANY.RUN gave us a scalable way to analyze that volume and make triage much faster without adding headcount”

Head of SOC, automotive manufacturer

Instead of relying on isolated alerts or incomplete indicators, analysts could detect malicious submissions more accurately, reach verdicts faster, resolve more cases at Tier 1, and reduce the amount of senior analyst time spent on routine reviews. 

This improved detection quality while contributing to lower MTTD and MTTR across supplier-related investigations. 

Reaching Faster Verdicts with Behavioral Evidence 

The SOC reduced triage time by giving analysts direct visibility into what suspicious supplier files did after execution. 

Files were safely analyzed in ANY.RUN’s cloud-based Interactive Sandbox, where the team could review process activity, network connections, system changes, commands, and other behavior without exposing the production environment. 

Full chain of a complicated EvilTokens attack on US companies analyzed in just 1 minute

This replaced incomplete indicators with clear evidence of whether a submission was malicious and how it could affect the business. 

“We no longer have to spend time piecing together what a supplier file might do. The behavior is visible in one place, which makes decisions faster and easier to defend.” 

Head of SOC, US automotive manufacturer 

Structured and visual results also helped Tier 1 analysts move from alert to verdict with fewer manual checks. Instead of reconstructing file behavior across disconnected tools, they could validatesuspicious submissions faster and make more confident decisions. 

The faster path from alert to confirmed verdict contributed to improved MTTD, while clearer evidence and fewer repeated checks helped reduce MTTR. 

Cut investigation time with clear behavioral evidence
Help analysts reach faster decisions.



Accelerate triage now  


Connecting Supplier Files to Wider Threat Activity 

Behavioral analysis showed the team what each suspicious file did. Threat intelligence helped reveal whether the submission was connected to a larger risk.

Indicators uncovered during analysis could be linked to malicious infrastructure, related samples, known campaigns, and attacker activity. This gave analysts a clearer view of whether they were dealing with an isolated file or broader activity involving the company’s supplier ecosystem. 

ANY.RUN’s Threat Intelligence used to explore broader threat context

The SOC also used this context to uncover additional indicators and behavioral patterns, strengthening internal detection controls beyond the original submission.

As a result, each investigation contributed to wider threat visibility. The team could resolve the immediate case while also identifying related activity that might otherwise remain hidden across the supply chain. 

Resolving More Supplier Files at Tier 1 

Before ANY.RUN, suspicious supplier files often moved up the escalation chain because Tier 1 analysts lacked enough evidence to confidently determine whether they were safe or malicious. 

With behavioral analysis, threat intelligence, and structured Tier 1 Reports available in the same workflow, first-line analysts received clearer summaries of each case, along with practical recommendations for the next step. 

AI Summary generated inside ANY.RUN’s sandbox for deeper analysis and faster handoff

This reduced the need to interpret every technical detail manually and helped analysts reach decisions faster. The company recorded a significant reduction in Tier 1 escalations, while Tier 2 received fewer low-context cases. 

“Cases that can be resolved at the first level no longer consume Tier 2 time. When escalation is necessary, senior analysts receive the relevant evidence instead of having to restart the investigation.” 

Head of SOC, US automotive manufacturer 

The change reduced duplicated work and made better use of specialist expertise. Senior analysts spent less time repeating initial validation and more time investigating complex or high-impact threats. 

More supplier files were resolved at the right level the first time, helping investigation queues move faster and lowering the cost of each case. 

Analyzing Hundreds of Files Without Adding Headcount 

The company now analyzes hundreds of supplier files every week without hiring additional analysts.

For the business, this is one of the clearest returns from the new process. The manufacturer increased its triage and analysis capacity while keeping staffing costs stable. 

Instead of treating headcount growth as the only solution to rising file volumes, the company gave its existing team a faster and more consistent way to detect malicious activity and reach verdicts. 

The SOC now absorbs more supplier activity without creating the same increase in labor costs or investigation backlogs. 

This also gives the company a more sustainable foundation for growth. As the vendor network expands or file volume rises, the security team has a triage process that can scale with it. 

Reduce third-party exposure before it affects operations.
Increase security capacity without increasing headcount.



Reduce risk now  


Improving MTTD and MTTR with 2x Faster Triage 

The manufacturer achieved a 2x improvement in alert processing and threat analysis speed, contributing to lower mean time to detect and mean time to respond. 

Suspicious supplier files moved through triage twice as fast. Analysts identified malicious behavior sooner, reached confirmed verdicts with less delay, and passed high-risk cases into response with clearer evidence already collected.

Legitimate submissions were also cleared faster, reducing the time business teams spent waiting for a security decision. 

“We cut the time it takes to move from a suspicious supplier file to a clear decision in half. That gave the business faster answers and reduced the time potential threats remained unresolved.” 

Head of SOC, US automotive manufacturer 

This faster process also reduced the company’s exposure window. Analysts reached evidence-backed verdicts sooner without sacrificing investigation depth, helping the SOC protect operations while keeping supplier workflows moving. 

Before ANY.RUN  Result with ANY.RUN  Business Impact 
No systematic process for analyzing vendor files  Hundreds of supplier files analyzed weekly  Greater triage capacity without additional hiring 
No behavioral analysis layer in supplier file intake  Malicious behaviordetected through direct execution evidence  Higher detection rate and lower third-party exposure 
Most suspicious submissions escalated by Tier 1  Significant reduction in Tier 1 escalations  More senior analyst capacity for critical incidents 
Slow, context-limited investigations  2x faster alert processing and threat analysis  Improved MTTD and MTTR with a shorter exposure window 

A Practical Model for Manufacturing Leaders Managing Third-Party Risk 

For manufacturing leaders, supplier security is not only a SOC issue. It affects operational continuity, staffing costs, executive accountability, and the company’s ability to grow without increasing exposure. 

A scalable approach should combine consistent file validation, broader threat context, and measurable outcomes. 

Turn Supplier File Intake into a Defined Risk Control 

A consistent triage helps the SOC apply the same standard to files received from vendors and contractors. 

With behavioral evidence from the Interactive Sandbox and additional context from Threat Intelligence, teams can replace inconsistent manual checks with a repeatable validation workflow.

For leadership, this creates clearer oversight of one of the company’s most exposed third-party risk channels. 

Increase Capacity Without Matching Growth with Headcount 

Faster verdicts and fewer unnecessary escalations allow the existing team to handle more supplier submissions. 

ANY.RUN reduces duplicated work, protects senior analyst capacity, and helps the SOC process higher file volumes without expanding at the same rate. 

The result is lower investigation cost and greater value from existing security resources. 

Protect Operations Without Slowing Supplier Activity 

Suspicious files can be analyzed in a controlled environment before they reach internal systems, while legitimate submissions move through review faster. 

This helps reduce the risk of supplier-borne threats without creating unnecessary delays for manufacturing, procurement, engineering, or other teams that depend on third-party collaboration. 

Connect Individual Submissions to Wider Exposure 

A suspicious file may be only one part of a larger campaign. 

ANY.RUN’s Threat Intelligence solutions help teams connect indicators to known infrastructure, related samples, active campaigns, and broader attacker activity. 

This gives leadership a clearer view of whether the company is dealing with an isolated submission or wider exposure involving suppliers and other external partners. 

Demonstrate Measurable Business Value 

The strongest supplier security programs are measured by outcomes, not by the number of files processed. 

With ANY.RUN, organizations can track improvements such as lower MTTD and MTTR, higher detection rates, fewer Tier 1 escalations, greater analysis capacity, and shorter exposure windows. 

These results make it easier to show how supplier security investments reduce risk, avoid additional staffing costs, and support business growth. 

Improve MTTD and shorten the business exposure window.

Reduce supplier-driven risk before it affects operations.



Strengthen supplier security  


Conclusion 

For this US automotive manufacturer, supplier file intake had become both a security risk and a growing cost center. More than 200 vendors were sending files into the environment, while analysts lacked a consistent way to validate behavior, add threat context, and reach fast decisions.

With ANY.RUN, the company built a scalable triage process that now supports hundreds of supplier files every week without additional headcount. Threat analysis became 2x faster, MTTD and MTTR improved, detection increased, and fewer cases required Tier 2 escalation. 

The result is a stronger security model for a complex supplier ecosystem: lower third-party exposure, better use of analyst time, and faster decisions that keep business operations moving. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate cyber threats faster and make evidence-based security decisions. 

Its cloud-based Interactive Sandbox enables teams to safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for triage and response.

ANY.RUN’s Threat Intelligence solutions provide additional context around indicators, malicious infrastructure, emerging campaigns, and attacker activity. Together, these capabilities help organizations improve threat detection, reduce investigation time, and manage growing security demands without adding unnecessary operational costs. 

The post Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Inside the inbox: Why cybercriminals want to break into your email account

Your inbox is an identity system all of its own: whoever owns it may own a lot more

WeLiveSecurity – ​Read More

SMB cyber readiness: the road to resilience starts here

Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.

WeLiveSecurity – ​Read More

250,000 misconfigurations in GitHub Actions | Kaspersky official blog

Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.

In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.

Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.

Detailed research results

In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.

Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.

Here are the most common flaws found in the GitHub Actions we reviewed:

  • implicitly defined or overly broad access permissions,
  • lack of version pinning for used dependances,
  • configuration settings applied at the workflow level.

In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.

How can you stay safe?

Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.

Searching for misconfigurations in GitHub Actions.

Searching for misconfigurations in GitHub Actions.

The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.

Kaspersky official blog – ​Read More

Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data

WeLiveSecurity – ​Read More

ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence

Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with Torq, a no-code/AI SOC automation platform, bridges this gap by delivering conclusive malware & phishing verdicts and actionable intelligence.  

The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection. 

ANY.RUN & Torq Integration 

Unlike legacy SOAR approaches that often require custom code and months of implementation, Torq allows SOC and MSSP teams to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows. 

At launch, users have access to 5 ready-to-use templates designed to accelerate time-to-verdict and standardize the investigation process. 

Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation. 

Available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.  

Speed up triage & response inside Torq with ANY.RUN
Scale your SOC capability without adding headcount



Contact us 


Interactive Sandbox Templates in Torq 

The Interactive Sandbox workflows allow analysts to detonate suspicious objects in real-time environments (WindowsLinuxmacOS or Android) to uncover evasive behaviors. There are two types of templates available for sandbox analysis: 

1. Case-Based Workflows 

ANY.RUN’s Sandbox provides fast case enrichment in Torq

These are triggered directly from a Torq Case, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools. 

  • Process: The analyst opens a case and launches the workflow. The system automatically retrieves observables or attachments, filtering for supported objects such as URLs or files. Analysts can then select specific objects for detonation. 
  • Result: Analysis data is added to the case notes in real-time. This includes a brief context, reputation, threat names or tags, and a structured JSON response. Additionally, a direct link is provided, allowing the analyst to jump into the ANY.RUN session to continue a manual, interactive analysis. 

The list of case-based templates: 

2. Sandbox Analysis Workflows 

These templates are designed to be embedded as a specific step within a larger, custom incident response flow

  • Process: Unlike case-based templates, these function independently of a specific case. They accept a URL or File as an input parameter and initiate the ANY.RUN Sandbox analysis. 
  • Result: The workflow waits for the analysis to complete and returns a structured JSON object containing the final verdict, analysis metadata, a list of IOCs, and a link to the full report. This data can then be passed further down the custom automation chain. 

The list of sandbox analysis templates: 

Threat Intelligence Lookup Templates in Torq 

TI Lookup adds context to isolated indicators, giving SOC teams the clarity for correct decisions

The Threat Intelligence (TI) Lookup integration focuses on rapid enrichment of “raw” observables found in alerts, such as IPs, domains, hashes, and URLs. 

  • Automation at Scale: When a case contains suspicious indicators, the TI Lookup workflow queries ANY.RUN’s vast database of threat data—continuously updated from millions of sandbox sessions. 
  • Instant Context: The workflow returns high-fidelity data including the reputation of the indicator, threat names, and specific tags. This allows analysts to immediately understand the nature of a threat and decide whether to block the indicator or escalate the incident. 
  • Enrichment Integration: Much like the sandbox workflows, TI Lookup results are delivered directly into the Torq interface as JSON data or case notes, ensuring that the analyst never has to leave their primary workspace to gather intelligence. 

Explore the TI Lookup template

How to Integrate ANY.RUN in Torq 

Setting up the integration is straightforward and requires no custom coding: 

  1. Navigate to Integrations within Torq and locate ANY.RUN
  1. Click Add, create a new instance, and enter your API key
  1. Go to the Templates tab and search for ANY.RUN templates. 
  1. Select your previously configured ANY.RUN integration to begin using the workflows. 

By default, these playbooks are configured to be launched manually. This is a deliberate design choice to ensure that only appropriate objects are sent for analysis.  

However, for high-volume environments, these templates can be easily integrated into broader, fully automated playbooks

Key SOC & MSSP Benefits of Integrating ANY.RUN in Torq 

ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI. 

  • Faster incident resolution (MTTR): Automating sandbox analysis and threat intelligence correlation allows you to cut incident resolution time by tens of percent. Analysts get clear verdicts in seconds, enabling them to block threats before they spread. 
  • Operational scaling: You can handle a growing volume of alerts with your current staff. By automating routine Tier 1 tasks, your team can focus on complex threats without a proportional increase in headcount. 
  • Zero development overhead: Unlike custom integrations that require months of engineering, this no-code setup is ready in minutes. You get a functional automation foundation without the cost of writing or maintaining scripts. 
  • Standardized investigation logic: Every alert is checked using the same high-fidelity criteria. This ensures consistent results and reduces the risk of human error, regardless of an analyst’s experience level. 
  • Higher ROI on existing tools: ANY.RUN works as an enrichment layer inside Torq, making your SIEM, EDR, and other security investments more effective by providing them with immediate, actionable context. 
  • Reduced analyst burnout: By eliminating manual data entry and constant switching between tools, you allow your team to focus on meaningful security work, which improves overall SOC productivity. 

Integrate ANY.RUN’s solutions in Torq
Close security gaps and reduce MTTR with confidence



Contact us 


About ANY.RUN 

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide, ANY.RUN helps security teams investigate threats faster and with greater accuracy. 

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, while our Threat Intelligence solutions (TI Lookup and TI Feedsprovide the necessary context to anticipate and stop today’s most advanced attacks. 

The integration of ANY.RUN with Torq adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By utilizing these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows. 

The post ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ESET takes part in Operation Endgame to disrupt Amadey and Stealc

ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights

WeLiveSecurity – ​Read More

How hackers use PowerShell scripts to steal Telegram accounts | Kaspersky official blog

There are dozens of ways to break into someone else’s Telegram account. We’ve frequently covered phishing in Telegram Mini Apps, scams with bots, gifts, and giveaways, and many other tactics. Today, we’re looking at yet another account hijacking method, one that relies on a PowerShell script.

The script, deceptively named “Windows Telemetry Update”, actually serves as a tool for hijacking Telegram sessions. It harvests data from completely defenseless user computers and forwards it to the attackers via a Telegram bot.

An evil script with a stealer inside

Cybercriminals frequently rely on PowerShell scripts to covertly download malware or harvest data. This time, researchers uncovered a script on Pastebin masquerading as a routine Windows update. In reality, it was an infostealer designed to hijack Telegram for Windows session data and allow hackers to take over accounts without a password or verification code.

What’s a PowerShell script anyway? Think of it as a text file packed with commands for a Windows computer. Instead of a human spending time clicking through tasks manually, the computer follows these quick instructions to get everything done automatically in a matter of seconds.

This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes

This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes

Right at the top of the script, researchers immediately spotted a Telegram bot token and a chat ID, alongside multiple references to the tdata folder. This specific folder is where Telegram for Windows keeps the authorization keys used to log users in to its servers. If attackers grab this data, they can access the victim’s Telegram account without a password or verification code. Once inside, they maintain access until the victim checks their active sessions in the app and manually terminates the suspicious ones.

How the stealer works

The malware lands on the victim’s computer disguised as a PowerShell script for a Windows telemetry update. As soon as it runs, it gathers basic system information: the username, hostname, and public IP address. It then checks if Telegram Desktop is installed. If it is, the script forces the app to close so it can unlock Telegram files for editing.

From there, the rest is simple: the script zips up the entire contents of the tdata folder into a temporary directory, forwards the archive straight to the attackers, and wipes the file from the computer to erase its tracks.

The good news is that the stealer likely hasn’t compromised any accounts yet, as experts found no evidence of actual data transfers. It appears researchers caught this malicious PowerShell script while it was still in the prototype testing phase.

Another giveaway is its surprisingly suspicious name. Cybercriminals typically use neutral names to hide their bots and apps. In this case, when researchers found it, the bot was running under the burner handle afhbhfsdvfh_bot with a dead-honest description: Telegram attacker. Researchers noted that while the bot had likely undergone functional testing, it hadn’t yet been deployed at scale, which explains the placeholder name.

How to defend against PowerShell scripts

Defending against this nameless stealer requires a layered approach to security. First, it helps to understand how a PowerShell script ends up on your PC in the first place. Usually, they slip in unnoticed through malicious email attachments, software vulnerabilities, infected apps, or social engineering tricks. That’s why we recommend installing a robust security suite on your device and staying highly cautious about the links you click and the files you download.

  • Be careful what you download. Always double-check the websites you use to download files. Stick to trusted, official sources — and remember that Telegram and Discord channels, and sketchy, fly-by-night websites definitely don’t fit that description.
  • Watch out for email links and attachments. Keep in mind that email remains a favorite delivery method for cybercriminals. They might drop a PowerShell script directly into your inbox as an attachment or bait you into clicking a link that triggers an automatic download.
  • Keep your apps and OS updated. Software vulnerabilities pop up unexpectedly, but patches are usually released very quickly. We recommend installing updates as soon as they become available. To make life easier, just turn on automatic updates wherever possible.

Make sure to install Kaspersky Premium on every device where you run Telegram. Our security solution will block malware, malicious attachments, spam, phishing attempts, and sketchy websites. Kaspersky Premium subscription additionally includes a password manager. It’ll generate and securely store strong and unique passwords, stop you from entering your credentials on fake sites, and come in handy for tightening your Telegram security, which we’ll cover next.

How to secure your Telegram account

To protect your Telegram account from these types of hijacking schemes, make sure to:

  • Regularly monitor your Telegram activity. Ultimately, hackers steal accounts to blast out spam and run scams. It’s a good idea to periodically check your chat history to ensure no new conversations or messages have appeared that you didn’t send yourself.
  • Immediately terminate unrecognized sessions. If you suspect you’ve fallen victim to this infostealer or any other cyberattack, terminate all other Telegram sessions as soon as possible by going to SettingsDevicesTerminate all other sessions.

If your Telegram account has already been hijacked, you have a strict 24-hour window to kick the attackers out by terminating their sessions. We broke down exactly why this rule exists — and mapped out every possible way to reclaim your account — in our detailed guide: What to do if your Telegram account is hacked.

In the meantime, beefing up your account security is a must. First, set up a cloud password by heading to SettingsPrivacy and SecurityTwo-Step Verification. Just any password won’t cut it — you need something unique and unhackable. We recommend reading our post on the subject: Creating an unforgettable password.

Better yet, make the switch to passkeys — a passwordless technology that offers top-tier protection against leaks and phishing. To set up that login method, go to SettingsPrivacy and SecurityPasskeys. The easiest way to manage your passkeys is with Kaspersky Password Manager. Our cross-platform app ensures you can seamlessly log in to Telegram using your saved passkeys whether you are on Windows, Android, iOS, or macOS.

To learn more about how cybercriminals can breach your Telegram account and how to lock it down, check out our other posts:

Kaspersky official blog – ​Read More