How many real threats hide behind the noise your SOC faces every day? 

When hundreds of alerts demand attention at once, even the best analysts start to lose focus. The nonstop pressure to react to everything drains energy, clouds judgment, and opens the door to real risk. 

Teams using ANY.RUN have already flipped that script: 

• 90% of attacks become visible within 60 seconds, giving analysts instant context instead of endless guesswork. 

• 94% of users report faster triage, cutting time spent on false positives and low-value alerts. 

• 95% of SOC teams speed up investigations, easing the overload that leads to burnout. 

Ready to see how to get there? This action plan lays out the steps CISOs can take to turn alert fatigue into lasting focus. 

Step 1: Replace Guesswork with Real-Time Visibility 

Alert fatigue often begins with uncertainty. Analysts spend hours dissecting fragmented data, trying to connect the dots between partial logs and incomplete alerts. When they can’t see the full story, every alert feels critical, and fatigue takes over. 

Real-time behavioral visibility changes everything. With ANY.RUN’s interactive sandbox, your team watches the attack unfold in a safe environment. From the first process execution to registry changes and data exfiltration attempts, every move is mapped in real time. 

That level of context replaces guesswork with confidence. 

Check recent attack fully exposed in real-time 

In the following example, analysts used the sandbox to expose a phishing attack that abused ClickUp to deliver a fake Microsoft 365 login page, uncovering the full chain in seconds. 

With ANY.RUN’s real-time visibility, team achieve: 

• 3× higher efficiency in daily operations 

• 15 sec median MTTD 

• Fewer false positives and missed threats 

• Faster response and a calmer, more focused SOC 

Step 2: Automate the Routine, Protect Human Focus 

Even the strongest SOCs lose precious hours to repetitive work, copying IOCs, exporting reports, updating tickets. None of these tasks strengthen defense; they just drain energy and attention. Over time, that’s how alert fatigue turns into burnout. 

But not every task can or should be automated. Many modern threats still require human-like interaction to be revealed: clicking a phishing link, solving a CAPTCHA, or scanning a QR code that hides a malicious redirect. Traditional tools stop short there. 

That’s where automated interactivity changes everything. 

With ANY.RUN’s sandbox, analysts get the best of both worlds; automation that behaves like a human when automated interactivity is enabled. It clicks through phishing pages, solves CAPTCHAs, follows redirects, and even scans QR codes that hide malicious links. All of this happens automatically, revealing threats most tools would miss. And when deeper insight is needed, analysts can jump in at any point to interact directly. 

Outcome of automation and interactivity: 

• Hidden threats revealed that traditional tools can’t detect 

• Faster investigations with less manual work 

• Lower analyst fatigue through balanced automation 

• Human control preserved for high-priority incidents 

This combination helps analysts uncover complex threats in less time and enables Tier 1 teams to resolve more cases independently. 

According to recent data among ANY.RUN’s users: 

• 20% lower workload for Tier 1 analysts 

• 30% fewer escalations from Tier 1 to Tier 2 

Step 3: Integrate Live Threat Intelligence to Cut Through the Noise 

Even the best SOCs struggle to stay focused when analysts waste hours chasing outdated data; verifying expired domains, checking inactive IOCs, or switching between disconnected tools just to confirm what’s real.  

You can easily solve this with the help of live, connected intelligence.  

ANY.RUN’s Threat Intelligence Feeds pull verified indicators from 15,000 organizations and 500,000 analysts worldwide, all sourced from real-time sandbox investigations. This means your team acts on current data, active phishing kits, live redirect chains, and real attacker infrastructure, not last month’s reports. 

When this intelligence is integrated into your SOC tools, analysts no longer need to jump between platforms or second-guess stale alerts. Every IOC is backed by behavioral evidence and traceable to a live analysis. 

With this setup, your team can: 

• Validate alerts instantly using verified, real-time data 

• Eliminate repetitive checks for outdated or inactive indicators 

• Trace every IOC back to its full attack chain 

• Make faster, evidence-based decisions without leaving their workflow 

As a result, businesses achieve stronger detection, less context-switching, and sharper focus across all SOC operations. 

Step 4: Create a Unified Response Workflow 

Even the most advanced SOCs lose efficiency when investigations and follow-ups aren’t coordinated. Without clear ownership and visibility into who’s handling what, tasks overlap, progress stalls, and important findings slip through the cracks. 

With ANY.RUN’s teamwork features, CISOs and SOC leads can manage investigations within a single workspace: assigning tasks, tracking analyst progress, and keeping every case organized.  

Each analysis also generates a structured, shareable report, so findings are easy to review, reuse, or hand off across shifts. 

This unified workflow keeps everyone aligned, from initial detection to final response, while ensuring accountability and consistency across the SOC. 

With a unified response workflow, you can ensure: 

• Clear task ownership and visibility into investigation progress 

• Structured, shareable reports for faster knowledge transfer 

• Stronger coordination between analysts and response leads 

• Higher overall efficiency with no duplicated effort 

Time to Give Your Team a Break from the Noise 

Alert fatigue is a sign of systems that demand too much and explain too little. 
By giving your analysts real-time visibility, automation that understands context, and intelligence they can trust, you give them what they need most: focus. 

When the noise quiets down, your team moves with intent; faster investigations, sharper decisions, and actions backed by real context instead of guesswork. 

Talk to ANY.RUN experts to see how your SOC can leave alert fatigue behind. 

About ANY.RUN 

Built for modern SOC operations, ANY.RUN helps teams detect, analyze, and respond to threats in real time. Its Interactive Sandbox reveals full attack behavior, from process execution to network activity, giving analysts the clarity they need to act with confidence. 

Compatible with Windows, Linux, and Android, the cloud-based sandbox provides deep behavioral visibility with no setup required. Integrated Threat Intelligence Lookup and TI Feeds deliver continuously updated, automation-ready IOCs that strengthen every layer of detection. 

Experience it with a 14-day trial → 

The post Solve Alert Fatigue, Focus on High-Risk Incidents: An Action Plan for CISOs  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Eric Parker, a recognized cybersecurity expert, has recently released a video on ClickFix attacks, their detection, analysis, and gathering threat intelligence. Here is our recap highlighting the key points and practical advice.

ClickFix as the Signature Threat of 2025

In 2025 the internet saw a sharp surge in a deceptively simple but highly effective social-engineering technique known as ClickFix: fake CAPTCHA pages tricking victims into running commands or pasting paths that install malware on their devices. What began as isolated malvertising and phishing pages has evolved into cross-platform, professionally produced scam traps and the second most prevalent attack vector globally, trailing only traditional phishing.  
 
ClickFix bypasses automated defenses by turning victims into unwitting accomplices, exploiting human psychology over technical tricks and vulnerabilities. 

The Technique Essence in a Nutshell 

An attacker presents a convincing CAPTCHA / verification / “fix this” UI that instructs the user to copy & paste a short snippet into a system dialog or terminal (for example: Run dialog, File Explorer address bar, or Terminal). JavaScript on the page often silently places an obfuscated command on the clipboard and/or shows an instruction video.  

When the user pastes and hits Enter they execute that command which downloads and runs malware. The chain relies entirely on social engineering and trusted OS interfaces rather than exploit primitives. 
 
ClickFix isn’t limited to Windows. In 2025 campaigns increasingly tailored payloads and instructions for macOS and Linux. Often they abused legitimate distribution/installation flows (for example, spoofing Homebrew install pages or using shell commands) making the technique even more stealthy on non-Windows platforms.  

ClickFix is especially dangerous for organizations because: 

• It bypasses technical defenses — the user executes the malware themselves, making the activity look legitimate to EDR and antivirus. 

• It is cross-platform — targeting Windows, macOS, and Linux, and sometimes abusing legitimate package managers such as Homebrew on macOS. 

• It scales cheaply and quickly — attackers automate landing pages, videos, OS detection, and payload delivery. 

• It delivers high-impact threats — info-stealers, remote access trojans, and ransomware are already distributed via ClickFix and its variants (e.g., FileFix). 

For businesses, this means that endpoint protection alone is not enough. Security teams must pair behavioral detection and browser controls with threat intelligence that tracks malicious domains, payloads, and evolving social-engineering patterns. The attack surface isn’t a vulnerability in code — it’s a vulnerability in human workflows. 

ClickFix Examples: Exploring with ANY.RUN 

So, let’s see how the technique functions by finding ClickFix samples via ANY.RUN’s Threat Intelligence Lookup and observing their behavior in Interactive Sandbox.  

We can discover ClickFix analyses simply by a threat’s name – although TI Lookup allows to combine over 40 search parameters for more complicated and precise queries. We can use the name of a file, the name of a process, and even a registry key; it is possible to find malware that does a specific thing like connecting to a certain domain or making some requests.  

threatName:”clickfix” 

Example 1: Fake Updates 

Here is the first example: view a sandbox session. 

This is an example of a “fix-this” swindle persuading a user to run a command to complete a fake Windows update. What happens if they follow the instructions?  
 
mshta.exe process is initiated (utilizing a somewhat unusual IP with a “0x” in it). 

It triggers a PowerShell command that drops an .exe file. 

It reads a specific registry key to check if the user is running a certain type of virtual machine and reads the BIOS version which belongs to yet another anti-analysis trick. Pay attention to the process OOBE-Maintenance.exe: looks like it has been injected since it’s a legitimate file, but it’s loading DLLs and demonstrates very suspicious activities.  

So, we can classify this sample as malicious revealing info-stealer activity along with anti-analysis.

And here we see a malicious extension having been dropped. Google Chrome puts a lot of effort into making it hard for infostealers, but unfortunately infostealers worked around that. 

Example 2: Stealthy Classic 

Let us view another analysis. It’s a typical ClickFix pseudo-CAPTCHA:  

By running this command, we do mshta for a certain domain that drops payload. And then the system works like nothing has happened, and the CAPTCHA just worked, and everything is fine. But actually, this computer is completely pwned. A massive payload is delivered.  

Example 3: Forged CloudFlare, Actual RAT 

View sandbox analysis 

Here we see a “verification” website abusing CloudFlare services. Note that the first CAPTCHA is a genuine CloudFlare CAPTCHA:  

And then there comes the tricky one:  

This sample is not as clever as the previous one: it’s not stealthy, a PowerShell window opens up and hints that something might be amiss here.  

PowerShell spawns this GUI urging the user to click “Continue” which sends them to the actual Booking com so they might think everything is okay.  

Nothing could be further from the truth. The file travelsecurity.exe is dropped, creates persistence, and it all looks like a phishing attack.  

Example 4: FileFix and Explorer Commands 

This is a relatively new version: a Docusign scam. View analysis. 
 
If you don’t look closely, it seems to be a perfectly legit document that just requires user signature. Eric says he’s been receiving a lot of those via email, usually disguised as sponsorship offers.  

But there is the first possible-phishing red flag: the domain eu2-docusign[.]net is not a subdomain of Docusign, it masks like one using a hyphen.  

We can call this attack variant FileFix as there is no CAPTCHA, just a path to copy into Windows Explorer and open a file to be signed.

(There is also a DocFix variant that masquerade as document viewer errors, particularly targeting Microsoft Office and PDF workflows. MeetFix exploits fake Google Meet errors.)
 
So the path is copied into the Explorer address bar… And Eric is surprised that you can run commands in Explorer. The command is separated from the path by a string of spaces and is not visible for the user unless they scroll the address bar. 

What the user sees:  

What they can see after dragging their cursor to the right:  

The string runs the PowerShell command:  

And a couple of processes later we can welcome an info stealer in the system:  

How to Keep Up with New ClickFix Attacks 

So, this is how ClickFix technique works, and this is how it can be researched via Threat Intelligence Lookup and Interactive Sandbox. Over 15,000 SOC teams all over the world analyze fresh malware samples daily, generating loads of contextual data on prevalent and emerging threats.  

Use TI Lookup to check IOCs for associations with ClickFix attacks and protect proactively:  

domainName:”i-like-ele-phants-verification.live” 

Update blocklists, employ targeted preventative controls (e.g., clipboard-protection extensions, blocking certain address-bar patterns in enterprise policies), use TI to create detection rules (SIEM, EDR) that look for suspicious curl | sh, Run dialogue invocations, PowerShell one-liners, or unusual child processes after a browser session. 

Conclusion

ClickFix is a human-centric, high-ROI social-engineering technique that matured into a major vector in 2025. It’s cross-platform, fast-evolving (FileFix and other address-bar / clipboard tricks), and amplified by automated tooling and AI. 
 
As AI continues to enhance attack sophistication and lower barriers to entry, organizations must evolve their defenses beyond technical controls to include robust threat intelligence, user education, and behavioral detection. The ClickFix threat will persist and evolve—only through comprehensive, intelligence-driven security programs can organizations hope to stay ahead of this signature threat of 2025. 

FAQ 

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.     

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.     

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.     

Want to see it in action? 

Start your 14-day trial of ANY.RUN today →         

The post ClickFix Explosion: Cross-Platform Social Engineering Turns Users Into Malware Installers  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Microsoft has released its monthly security update for November 2025, which includes 63 vulnerabilities affecting a range of products, including 5 that Microsoft marked as “critical.” Current intelligence shows that one of the important vulnerabilities, CVE-2025-62215, has already been detected in the wild. 

Out of five “Critical” entries, three are remote code execution (RCE) vulnerabilities in Microsoft Windows components including GDI+, Microsoft Office, and Visual Studio. One is an elevation of privilege vulnerability affecting the DirectX Graphics Kernel. 

In the following sections we give a concise overview of the critical and important entries that are most relevant for defenders. The full catalogue of all reported issues can be found on Microsoft’s official update page. 

Exploited in the Wild 

One “important” vulnerability was confirmed to have been exploited in the wild. 

CVE-2025-62215 is a Windows Kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7.8, where a race condition in Windows Kernel allows an authorized attacker to elevate privileges locally. Microsoft assessed that the attack complexity is “low”. 

Critical Vulnerabilities 

Among all the critical vulnerabilities, none of them were labelled as exploitation more likely. Five are considered exploitation less likely. Below we describe each of those five entries. 

CVE-2025-60724 is a RCE vulnerability in GDI+, given a CVSS 3.1 score of 9.8, where a heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. The vulnerability can be triggered by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause RCE or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.   

CVE‑2025‑30398 is a Nuance PowerScribe 360 information disclosure vulnerability, given a CVSS 3.1 score of 8.1, where missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. An unauthenticated attacker could exploit this vulnerability by making an API call to a specific endpoint. The attacker could then use the data to gain access to sensitive information (including PII data) on the server. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”. 

CVE‑2025‑62199 is a RCE vulnerability in Microsoft Office applications, given a CVSS 3.1 score of 7.8, where a use‑after‑free flaw in Microsoft Office allows an unauthenticated attacker to execute code locally on a vulnerable workstation. To exploit this vulnerability, an attacker must send the user a malicious file and convince them to open it. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.   

CVE‑2025‑60716 is a DirectX Graphics kernel elevation of privilege vulnerability, given a CVSS 3.1 score of 7, where a use‑after‑free flaw in Windows DirectX allows an authorized attacker to elevate privileges locally. Successful exploitation of this vulnerability requires an attacker to win a race condition. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.   

CVE‑2025‑62214 is a RCE vulnerability in Visual Studio, given a CVSS 3.1 score of 6.7, where AI command injection in Visual Studio allows an authorized attacker to execute code locally. Exploitation is not trivial for this vulnerability as it requires multiple steps: prompt injection, Copilot Agent interaction, and triggering a build. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.   

Important Vulnerabilities 

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely”:    

CVE‑2025‑59512 – Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability.  

CVE‑2025‑60705 – Windows CSC Service Elevation of Privilege Vulnerability 

CVE-2025-60719 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-62217 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

CVE-2025-62213 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.   

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 65496-65501, 65507-65510. There are also these Snort 3 rules: 301343-301345, 301347, 301348.  

Cisco Talos Blog – ​Read More

We recently covered the ClickFix technique. Now, malicious actors have begun deploying a new twist on it, which was dubbed “FileFix” by researchers. The core principle remains the same: using social engineering tactics to trick the victim into unwittingly executing malicious code on their own device. The difference between ClickFix and FileFix is essentially where the command is executed.

With ClickFix, attackers convince the victim to open the Windows Run dialog box and paste a malicious command into it. With FileFix, however, they manipulate the victim into pasting a command into the Windows File Explorer address bar. From a user perspective, this action doesn’t appear unusual — the File Explorer window is a familiar element, making its use less likely to be perceived as dangerous. Consequently, users unfamiliar with this particular ploy are significantly more prone to falling for the FileFix trick.

How attackers manipulate the victim into executing their code

Similar to ClickFix, a FileFix attack begins when a user is directed — most often via a phishing email — to a page that mimics the website of some legitimate online service. The fake site displays an error message preventing access to the service’s normal functionality. To resolve the issue, the user is told they need to perform a series of steps for an “environment check” or “diagnostic” process.

To do this, the user is told they need to run a specific file that, according to the attackers, is either already on the victim’s computer or has just been downloaded. All the user needs to do is copy the path to the local file and paste it into the Windows File Explorer address bar. Indeed, the field from which the user is instructed to copy the string shows the path to the file — which is why the attack is named “FileFix”. The user is then instructed to open File Explorer, press [CTRL] + [L] to focus on the address bar, paste the “file path” via [CTRL] + [V], and press [ENTER].

Here’s the trick: the visible file path is only the last few dozen characters of a much longer command. Preceding the file path is a string of spaces, and before that is the actual malicious payload the attackers intend to execute. The spaces are crucial for ensuring the user doesn’t see anything suspicious after pasting the command. Because the full string is significantly longer than the address bar’s visible area, only the benign file path remains in view. The true contents are only revealed if the information is pasted into a text file instead of the File Explorer window. For instance, in a Bleeping Computer article based on research by Expel, the actual command was found to launch a PowerShell script via conhost.exe.

What happens after the malicious script is run

A PowerShell script executed by a legitimate user can cause trouble in a multitude of ways. Everything depends on corporate security policies, the specific user’s privileges, and the presence of security solutions on the victim’s computer. In the case mentioned previously, the attack utilized a technique named “cache smuggling”. The same fake website that implemented the FileFix trick saved a file in JPEG format into the browser’s cache, but the file actually contained an archive with malware. The malicious script then extracted this malware and executed it on the victim’s computer. This method allows the final malicious payload to be delivered to the computer without overt file downloads or suspicious network requests, making it particularly stealthy.

How to defend your company against ClickFix and FileFix attacks

In our post about the ClickFix attack technique, we suggested that the simplest defense was to block the [Win] + [R] key combination on work devices. It’s extremely rare for a typical office employee to genuinely need to open the Run dialog box. In the case of FileFix, the situation is a bit more complex: copying a command into the address bar is perfectly normal user behavior.

Blocking the [CTRL] + [L] shortcut is generally undesirable for two reasons. First, this combination is frequently used in various applications for diverse, legitimate purposes. Second, it wouldn’t fully help, as users can still access the File Explorer address bar by simply clicking it with the mouse. Attackers often provide detailed instructions for users if the keyboard shortcut fails.

Therefore, for a truly effective defense against ClickFix, FileFix, and similar schemes, we recommend first and foremost deploying a reliable security solution on all employee work devices that can detect and block the execution of dangerous code in time.

Second, we advise regularly raising employee awareness about modern cyberthreats — particularly the social engineering methods employed in ClickFix and FileFix scenarios. The Kaspersky Automated Security Awareness Platform can help automate employee training.

Kaspersky official blog – ​Read More