Cyble Vulnerability Intelligence researchers tracked 1,782 vulnerabilities in the last week, the third straight week that new vulnerabilities have been growing at twice their long-term rate. 

Over 282 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 207 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 51 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the top IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-66516 is a maximum severity XML External Entity (XXE) injection vulnerability in Apache Tika’s core, PDF and parsers modules. Attackers could embed malicious XFA files in PDFs to trigger XXE, potentially allowing for the disclosure of sensitive files, SSRF, or DoS without authentication. 

CVE-2025-15047 is a critical stack-based buffer overflow vulnerability in Tenda WH450 router firmware version V1.0.0.18. Attackers could potentially initiate it remotely over the network with low complexity, and a public exploit exists, increasing the risk of widespread abuse. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were: 

• CVE-2025-14733, an out-of-bounds write vulnerability in WatchGuard Fireware OS that could enable remote unauthenticated attackers to execute arbitrary code. 

• CVE-2025-40602, a local privilege escalation vulnerability due to insufficient authorization in the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances. 

• CVE-2025-20393, a critical remote code execution (RCE) vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The flaw has reportedly been actively exploited since late November by a China-linked APT group, which has deployed backdoors such as AquaShell, tunneling tools, and log cleaners to achieve persistence and remote access. 

• CVE-2025-14847, a high-severity MongoDB vulnerability that’s been dubbed “MongoBleed” and reported to be under active exploitation. The Improper Handling of Length Parameter Inconsistency vulnerability could potentially allow uninitialized heap memory to be read by an unauthenticated client, potentially exposing data, credentials and session tokens. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed a number of threat actors sharing exploits and discussing weaponizing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities under discussion were: 

CVE-2025-56157, a critical default credentials vulnerability affecting Dify versions through 1.5.1, where PostgreSQL credentials are stored in plaintext within the docker-compose.yaml file. Attackers who access deployment files or source code repositories could extract these default credentials, potentially gaining unauthorized access to databases. Successful exploitation could enable remote code execution, privilege escalation, and complete data compromise. 

CVE-2025-37164, a critical code injection vulnerability in HPE OneView. The unauthenticated remote code execution flaw affects HPE OneView versions 10.20 and prior due to improper control of code generation. The vulnerability exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication, potentially allowing remote attackers to execute arbitrary code and gain centralized control over the enterprise infrastructure. 

CVE-2025-14558, a critical severity remote code execution vulnerability in FreeBSD’s rtsol(8) and rtsold(8) programs that is still awaiting NVD and CVE publication. The flaw occurs because these programs fail to validate domain search list options in IPv6 router advertisement messages, potentially allowing shell commands to be executed due to improper input validation in resolvconf(8). Attackers on the same network segment could potentially exploit this vulnerability for remote code execution; however, the attack does not cross network boundaries, as router advertisement messages are not routable. 

CVE-2025-38352, a high-severity race condition vulnerability in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition in the posix-cpu-timers subsystem could allow local attackers to escalate privileges. The flaw occurs when concurrent timer deletion and task reaping operations create a race condition that fails to detect timer firing states. 

ICS Vulnerabilities 

Cyble threat researchers also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2025-30023, a critical Deserialization of Untrusted Data vulnerability in Axis Communications Camera Station Pro, Camera Station, and Device Manager. Successful exploitation could allow an attacker to execute arbitrary code, conduct a man-in-the-middle-style attack, or bypass authentication. 

Schneider Electric EcoStruxure Foxboro DCS Advisor is affected by CVE-2025-59827, a Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Service (WSUS). Successful exploitation could allow for remote code execution, potentially resulting in unauthorized parties acquiring system-level privileges. 

Conclusion 

The persistently high number of new vulnerabilities observed in recent weeks is a worrisome new trend as we head into 2026. More than ever, security teams must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: The Year Ends with an Alarming New Trend  appeared first on Cyble.

Cyble – ​Read More

SOAR platforms are excellent at moving work forward. They trigger playbooks, route incidents, and enforce consistent response steps. What they don’t do well on their own is confirm what’s actually SOAR helps teams move faster, but speed isn’t the real problem. 

The real issue is figuring out what an alert actually means. A sandbox solves that by safely running the file or link and showing what it really does. With clear evidence in hand, playbooks make better decisions, triage moves quicker, and fewer incidents turn into long investigations. 

Let’s walk through how teams use a sandbox inside SOAR, and what that means for faster decisions and lower risk. 

Why a Sandbox Changes SOAR Outcomes 

SOAR platforms are excellent at moving work forward. They trigger playbooks, route incidents, and enforce consistent response steps. What they don’t do well on their own is confirm what’s actually happening. 

That gap matters. When alerts arrive with limited context, automation can only go so far. Teams hesitate, escalations increase, and playbooks stall while someone manually checks files, links, or indicators across multiple tools. 

A sandbox changes this dynamic by adding behavior-based proof directly into the workflow. Instead of relying on assumptions or partial signals, SOAR receives concrete answers: what executed, what connected out, what dropped, and how risky it really is. 

With that clarity: 

• Triage decisions happen faster 

• Playbooks trigger with more confidence 

• Fewer cases get escalated “just in case” 

In practice, SOAR stops being a traffic controller and starts acting like a decision engine; one that’s backed by real evidence, not guesses. 

What a Sandbox Does Inside SOAR Workflows 

When integrated into SOAR, ANY.RUN’s sandbox covers a few critical steps that static tools alone can’t reliably handle: 

• Validates alerts with real behavior: Suspicious files and links are executed in a safe environment to confirm whether they’re actually malicious. This replaces guesswork with evidence early in the workflow. 

• Uncovers multi-stage and evasive attacks: Many threats reveal their intent only after redirects, downloads, or user interaction. A sandbox follows the full execution chain so SOAR can act on what truly happens, not what appears safe at first glance. 

• Returns decision-ready context to playbooks: SOAR receives clear verdicts, risk scores, and indicators tied to observed behavior, giving playbooks the confidence to move forward without manual checks. 

• Reduces unnecessary escalations: With reliable evidence available upfront, fewer cases are passed up the chain “just in case,” keeping response focused and queues under control. 

• Enables safer automation: Once behavior is confirmed, SOAR can trigger containment, enrichment, and documentation steps with much lower risk of false positives. 

Together, these capabilities allow SOAR workflows to run with more confidence and consistency, even during alert spikes, and without increasing operational overhead. 

Where Sandbox-Driven SOAR Fits in Real Security Stacks 

In enterprise environments, SOAR operates across SIEM, endpoint, and threat intelligence platforms. A sandbox fits into this layer as the system that validates behavior and feeds trusted context back into automation. 

That’s why Interactive Sandbox integrations and connectors are designed to work directly inside widely used SOAR and security platforms, including: 

• IBM Security QRadar SOAR 

• Microsoft Sentinel 

• Microsoft Defender for Endpoint 

• Palo Alto Cortex XSOAR 

• Splunk SOAR 

• FortiSOAR 

• D3 Smart SOAR 

• Google SecOps 

• Rapid7 InsightIDR 

Within these environments, sandbox execution is triggered automatically from incidents or alerts. Files, URLs, and artifacts are analyzed in a safe environment, and the results, verdicts, risk scores, indicators, and behavioral context, are returned directly into the SOAR case. 

This means teams don’t have to switch tools to understand what’s happening. Automation continues with confidence, response actions are triggered earlier, and threat intelligence is enriched as part of the same workflow. 

Sandbox-driven SOAR is embedded into the platforms large organizations rely on today, making it easier to scale response without adding operational complexity. 

From Faster Triage to Lower Risk: The Business Impact of Sandbox-Driven SOAR 

When ANY.RUN’s sandbox is embedded into SOAR workflows, the impact goes beyond faster investigations. It changes how incidents are prioritized, handled, and closed with measurable effects at both the SOC and business level. 

• Real-time threat visibility: Observe full attack chains as they unfold, with 90% of malicious activity exposed within the first 60 seconds, significantly accelerating mean time to detect (MTTD). 

• Higher detection rates for evasive threats: Sandbox execution uncovers low-detection attacks, including multi-stage malware and interaction-dependent phishing, resulting in up to 58% more threats identified and fewer missed incidents. 

• Lower MTTR across common incidents: With behavior confirmation available early, response steps trigger sooner and manual verification is removed from first-line playbooks, consistently shortening response cycles. 

• Operational efficiency at scale: Automated sandbox execution reduces manual analysis time, cutting Tier 1 workload by up to 20% and allowing less experienced team members to handle more complex cases with confidence. 

• Stronger performance during alert spikes: Evidence-driven automation keeps workflows stable during phishing waves or malware campaigns, helping teams avoid backlog growth and burnout. 

• Clear business-level impact: Faster containment reduces the risk of lateral movement, data loss, and downtime, while automation lowers the cost per incident by minimizing repeated manual effort. 

Turning Sandbox-Driven SOAR into a Scalable Security Strategy 

SOAR works best when automation is backed by proof. By adding a sandbox into the workflow, teams replace uncertainty with clear behavior, shorten response cycles, and keep decisions consistent even under pressure. 

With ready-made integrations across common SOAR and security platforms, sandbox-driven workflows fit naturally into existing stacks. The result is faster response, lower operational load, and reduced business risk, without expanding teams or tools. 

See how sandbox-driven SOAR fits into your environment. Explore ANY.RUN’s Enterprise integrations and unified security workflows. 

About ANY.RUN 

ANY.RUN helps security teams make faster, clearer decisions when it matters most. The platform is trusted by over 500,000 security professionals and 15,000+ organizations across industries where response speed and accuracy are critical. 

ANY.RUN’s Interactive Sandbox allows teams to safely execute suspicious files and links, observe real behavior in real time, and confirm threats before they escalate. Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, it adds the context needed to prioritize alerts, reduce uncertainty, and stop advanced attacks earlier in the response cycle. 

Start a 2-week ANY.RUN trial → 

The post Integrating a Malware Sandbox into SOAR Workflows: Steps, Benefits, and Impact  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ANY.RUN is wrapping up 2025 with updates that take pressure off your SOC and help your team work faster. You can now get AI‑generated Sigma rules, track threats by industry and region, and detect new campaigns with better speed and accuracy.  

Let’s see what these improvements bring to your security stack. 

Product Updates 

Industry & Geo Threat Landscape in TI Lookup 

TI Lookup now gives every indicator extra context showing which industries and countries are linked to the threat of your industry and where similar activity is trending. It’s an easy way to see whether a threat actually affects your business or if it’s just background noise.

Built on live data from more than 15,000 organizations, this update helps your team tighten detection focus and reduce blind spots: 

• See what matters first: Identify threats targeting your market or region so you can prioritize high‑risk activity. 

• Triage faster: Skip irrelevant alerts and go straight to the ones that match your exposure. 

• Work with better insight: Use targeted intelligence to guide hunts, automate enrichment, and improve MTTD. 

With TI Lookup, you spot threats earlier, respond faster, and keep your attention where it counts. 

AI Sigma Rules in ANY.RUN Sandbox 

The new AI Sigma Rules feature in the Interactive Sandbox turns your confirmed detections into ready‑to‑use Sigma rules automatically. Instead of spending hours writing them by hand, you can now take the rule straight from the sandbox and add it to your SIEM or SOAR in seconds. 

The rules are created from the same processes, files, and network events you see in the sandbox, so they stay closely tied to real attacker behavior. That means better accuracy and quicker response without extra effort. 

Here’s what you gain: 

• Less manual work: Every confirmed threat instantly becomes a reusable detection rule. 

• Better coverage: Each investigation now improves how your SOC spots similar attacks later. 

• Faster action: Analysts spend less time writing rules and more time acting on real signals. 

Threat Coverage Updates 

In December, our detection team rolled out another wave of coverage improvements with: 

• 86 new behavior signatures 

• 13 new YARA rules 

• 1,686 new Suricata rules 

These updates enhance phishing detection, expand coverage of stealers, loaders, and RATs, and clean up false positives across multi‑stage attacks. 

New Behavior Signatures 

Fresh signatures add visibility into persistence, lateral movement, and abuse of system tools seen across mixed environments. 

Highlighted families include: 

These detections help analysts catch miner and loader activity earlier and recognize evasion tricks like rundll32 abuse or PowerShell obfuscation.

New YARA Rules 

We added 13 YARA rules to improve detection across new malware strains and living‑off‑the‑land tools. 

Highlighted families are STEAL1, SANTASTEALER, UNIXSTEALER, OCTORAT, DonutLoader.

These cover credential theft, modular loaders, and dual‑use administrative tools to ensure better coverage for both Windows and Linux‑based systems. 

New Suricata Rules 

We’ve added 1,686 Suricata rules targeting phishing, botnet activity, and evasive network behaviors often missed by standard IDS. 

• Cephas phish‑kit detection  

• PulsarRAT commands and connections  

• Udados botnet HTTP activity  

Together, these bring better coverage of C2 traffic, phishing domains, and low‑signal campaign infrastructure. 

Businesses that are constantly being bombarded by hundreds of hacker attacks daily can upgrade their proactive defense with ANY.RUN’s Threat Intelligence Feeds. 

Powered by sandbox analyses of the latest malware & phishing samples across 15K SOCs, they deliver fresh, real-time malicious network IOCs to numerous companies around the globe. Enriched with detailed sandbox reports, TI Feeds not only help you catch emerging threats early but also provide your analysts with actionable intelligence for fast remediation, boosting your detection rate and driving down the MTTR. 

Threat Intelligence Reports 

In December we published new TI Reports summarizing late‑year activity: 

• Sturnus, ShinySpider, and Tsundere 

• GuLoader, Albiriox, and OctoRAT 

• ShadowAgent and UDPGangster 

• End of Year Phishing (Available as part of the TI Lookup Premium subscription) 

Each brief distills TTPs, campaigns, and IOCs from live submissions to help SOC teams anticipate what’s next. 

About ANY.RUN 

ANY.RUN powers SOCs at more than 15,000 organizations, giving them faster visibility into live threats through interactive sandboxing and cloud‑based intelligence. 

Our Interactive Sandbox lets you analyze Windows, Linux, and Android samples in real time, watch the execution flow second‑by‑second, and pull IOCs instantly, no installs, no waiting. Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, you get a single workflow built to speed up investigation, cut MTTD and MTTR, and keep your SOC focused on the right threats. 

Start 2026 with faster detection, better threat intel, and less noise.  

Request trial of ANY.RUN’s products for your SOC. 

The post Release Notes: AI Sigma Rules, Live Threat Landscape & 1,700+ New Detections appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users.

The campaign primarily targets Indian vehicle owners via unsolicited SMS messages claiming an overdue traffic fine. The message includes a deceptive URL resembling an official e-Challan domain. Once accessed, victims are presented with a cloned portal that mirrors the branding and structure of the legitimate government service. At the time of this writing, many of the associated phishing domains were active at the time, indicating that this is an ongoing and operational campaign rather than isolated or short-lived activity.

The same hosting IP was observed serving multiple phishing lures impersonating government services, logistics companies, and financial institutions, indicating a shared phishing backend supporting multi-sector fraud operations.

The infection chain, outlined in Figure 1, showcases the stages of the attack.

Key Takeaways

• Attackers are actively exploiting RTO/e-Challan themes, which remain highly effective against Indian users.
• The phishing portal dynamically fabricates challan data, requiring no prior victim-specific information.
• The payment workflow is deliberately restricted to credit/debit cards, avoiding traceable UPI or net banking rails.
• Infrastructure analysis links this campaign to BFSI and logistics-themed phishing hosted on the same IP.
• Browser-based warnings (e.g., Microsoft Defender) are present but frequently ignored due to urgency cues.

A sense of urgency, evidenced in this campaign, is usually a sign of deception. By demanding a user’s immediate attention, the intent is to make a potential victim rush their task and not perform due diligence.

Users must accordingly exercise caution, scrutinize the domain, sender, and never trust any unsolicited link(s).

Technical findings

Stage 1: Phishing SMS Delivery

The attack we first identified started with victims receiving an SMS stating that a traffic violation fine is overdue and must be paid immediately to avoid legal action. The message includes:

• Threatening language (legal steps, supplementary charges)
• A shortened or deceptive URL mimicking e-Challan branding
• No personalization, allowing large-scale delivery

The sender appears as a standard mobile number, which increases delivery success and reduces immediate suspicion. (see Figure 2)

Stage 2: Redirect to Fraudulent e-Challan Portal

Clicking the embedded URL redirects the user to a phishing domain hosted on 101[.]33[.]78[.]145.

The page content is originally authored in Spanish and translated to English via browser prompts, suggesting the reuse of phishing templates across regions. (see Figure 3)

The Government insignia, MoRTH references, and NIC branding are visually replicated. (see Figure 3)

Stage 3: Fabricated Challan Generation

The portal prompts the user to enter:

• Vehicle Number
• Challan Number
• Driving License Number

Regardless of the input provided, the system returns:

• A valid-looking challan record
• A modest fine amount (e.g., INR 590)
• A near-term expiration date
• Prominent warnings about license suspension, court summons, and legal proceedings

This step is purely psychological validation, designed to convince victims that the challan is legitimate. (see Figure 4)

Stage 4: Card Data Harvesting

Upon clicking “Pay Now”, victims are redirected to a payment page claiming secure processing via an Indian bank. However:

• Only credit/debit cards are accepted
• No redirection to an official payment gateway occurs
• CVV, expiry date, and cardholder name are collected directly

During testing, the page accepted repeated card submissions, indicating that all entered card data is transmitted to the attacker backend, independent of transaction success. (see Figure 5)

Infrastructure Correlation and Campaign Expansion

CRIL identified another attacker-controlled IP, 43[.]130[.]12[.]41, hosting multiple domains impersonating India’s e-Challan and Parivahan services. Several of these domains follow similar naming patterns and closely resemble legitimate Parivahan branding, including domains designed to look like Parivahan variants (e.g., parizvaihen[.]icu). Analysis indicates that this infrastructure supports rotating, automatically generated phishing domains, suggesting the use of domain generation techniques to evade takedowns and blocklists.

The phishing pages hosted on this IP replicate the same operational flow observed in the primary campaign, displaying fabricated traffic violations with fixed fine amounts, enforcing urgency through expiration dates, and redirecting victims to fake payment pages that harvest full card details while falsely claiming to be backed by the State Bank of India.

This overlap in infrastructure, page structure, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits government transport services to target Indian users.

Further investigation into IP address 101[.]33[.]78[.]145 revealed more than 36 phishing domains impersonating e-Challan services, all hosted on the same infrastructure.

The infrastructure also hosted phishing pages targeting:

• BFSI (e.g., HSBC-themed payment lures)
• Logistics companies (DTDC, Delhivery) (see Figures 7,8)

Consistent UI patterns and payment-harvesting logic across campaigns

This confirms the presence of a shared phishing infrastructure supporting multiple fraud verticals.

SMS Origin and Phone Number Analysis

As part of the continued investigation, CRIL analyzed the originating phone number used to deliver the phishing e-Challan SMS. A reverse phone number lookup confirmed that the number is registered in India and operates on the Reliance Jio Infocomm Limited mobile network, indicating the use of a locally issued mobile connection rather than an international SMS gateway.

Additionally, analysis of the number showed that it is linked to a State Bank of India (SBI) account, further reinforcing the campaign’s use of localized infrastructure. The combination of an Indian telecom carrier and association with a prominent public-sector bank likely enhances the perceived legitimacy of the scam. It increases the effectiveness of government-themed phishing messages. (see Figure 9)

Conclusion

This campaign demonstrates that RTO-themed phishing remains a high-impact fraud vector in India, particularly when combined with realistic UI cloning and psychological urgency. The reuse of infrastructure across government, logistics, and BFSI lures highlights a professionalized phishing operation rather than isolated scams.

As attackers continue shifting from malware delivery to direct financial fraud, user awareness alone is insufficient. Infrastructure monitoring, domain takedowns, and proactive SMS phishing detection are critical to disrupting these operations at scale.

Our Recommendations:

• Always verify traffic fines directly via official government portals, not SMS links.
• Organizations should monitor for lookalike domains abusing government and brand identities.
• SOC teams should track shared phishing infrastructure, as takedown of one domain may disrupt multiple campaigns.
• Telecom providers should strengthen SMS filtering for financial and government-themed lures.
• Financial institutions should monitor for card-not-present fraud patterns linked to phishing campaigns.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1566.001	Phishing: Spearphishing via SMS
Credential Access	T1056	Input Capture
Collection	T1119	Automated Collection
Exfiltration	T1041	Exfiltration Over C2 Channel
Impact	T1657	Financial Theft

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

Indicators	Indicator Type	Description
echala[.]vip echallaxzov[.]vip	Domain	Phishing Domain
echallaxzrx[.]vip
echallaxzm[.]vip
echallaxzv[.]vip
echallaxzx[.]vip
echallx[.]vip
echalln[.]vip
echallv[.]vip
delhirzexu[.]vip
delhirzexi[.]vip
delhizery[.]vip
delhisery[.]vip
dtdcspostb[.]vip
dtdcspostv[.]vip
dtdcspostc[.]vip
hsbc-vnd[.]cc
hsbc-vns[.]cc
parisvaihen[.]icu
parizvaihen[.]icu
parvaihacn[.]icu
101[.]33[.]78[.]145	IP	Malicious IP
43[.]130[.]12[.]41

The post RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure appeared first on Cyble.

Cyble – ​Read More