For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
MediaArea vulnerabilities
Discovered by Dimitrios Tatsis of Cisco Talos.
MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. MediaInfoLib provides a UI for technical and tag data for video and audio media files. Talos discovered four vulnerabilities in MediaInfoLib.
TALOS-2026-2367 (CVE-2026-25104),TALOS-2026-2368 (CVE-2026-25713),TALOS-2026-2371 (CVE-2026-28764), andTALOS-2026-2374 (CVE-2026-22554) are heap-based buffer overflow vulnerabilities in various functionalities of MediaInfoLib (version(s): 26.01). All can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.
What happens when a malware analyst decides to build a product he always wished he had? The case of ANY.RUN tells us that ten years later it may turn into an industry-standard solution, adopted by 74 Fortune 100 companies.
Celebrating a decade of ANY.RUN, CEO Aleksey Lapshin shared his perspective on the evolution of the company, the reality of AI in cybersecurity, and why human expertise remains the most valuable asset in the age of AI.
Key Takeaways
According to Aleksey Lapshin, ANY.RUN was created to solve real problems analysts faced every day: slow investigations, fragmented tools, and inefficient workflows.
Lapshin believes that despite rapid AI adoption, human expertise and manual verification are becoming even more valuable in modern SOC operations.
One of ANY.RUN’s biggest competitive advantages is its community-driven threat intelligence built from thousands of daily analyst investigations.
The company’s long-term vision is to create a faster, less stressful, and more effective environment for cybersecurity teams.
The CEO argues that AI will not replace cybersecurity professionals; instead, it will increase the need for skilled analysts capable of validating and responding to complex threats.
The Foundation of ANY.RUN
Q: Going back a decade, what was the initial spark that led to the creation of ANY.RUN in 2016?
Aleksey Lapshin: It started as a very personal mission. I worked as a malware analyst and the tools we had at the time were simply ineffective for the reality of the job. Most antiviruses only gave a simple “yes/no” verdict, while my actual task was to deeply research malware behavior and extract valuable IOCs. Analyzing just one sample and getting meaningful results often took an entire day of manual work.
I wanted to build a malware sandbox that removed that manual routine of setting up your virtual environment, gave you full interactive control over the VM, and brought the whole process to a unified standard. The main goal was simple: get results fast. I wanted to see what a threat actually does in real time, within seconds of detonating the malware, instead of waiting 10+ minutes for a standard sandbox report.
Q: How did you go from building a personal project to launching a full product?
At first, it was just my personal project that I kept using and improving. Then I thought maybe others could use this too. I made a basic landing page, spent $100 on Google Ads, and quickly got more than 100 requests, many from security professionals at large enterprises. The unexpected response inspired me to try to make the sandbox available to the public. But for that, I needed more hands on deck.
We started with just two people, then grew to three. With this small team, we launched the first public version and even built the very first paid version. For a long time, I personally handled marketing, spoke with potential customers, and closed sales myself. Thanks to that hands-on approach, we reached operational profitability almost from the very beginning.
We also made a strategic decision to offer a free tier, which was instrumental in building a community around the service early on. Instead of being a solution forced on teams from the top down by management, SOC teams began to adopt us because the analysts themselves found it faster and more effective than anything else they had. This allowed the product to grow naturally within organizations.
Evolution and the Modern SOC
Q: How have the company’s goals evolved over these 10 years?
For a long time, we grew by focusing almost exclusively on the analyst’s technical needs and their individual workspace. Today, we’ve shifted to looking at the landscape from two sides: the analyst and the business.
Our goal now is to ensure that ANY.RUN’s solutions provide the value businesses and MSSPs need. That means not just helping analysts investigate threats, but helping organizations reduce detection gaps that directly translate into business risk, incident impact, and operational disruption.
Q: In small versus large SOCs, how does the role of ANY.RUN differ?
It is hard to speak for every SOC, but I can give you the most common scenarios. In smaller teams where a SOC might not even be fully formed, ANY.RUN’s solutions often become the primary, central workstation. The analysts there are usually handling Tier 1, 2, and 3 duties all at once. They need a “do-it-all” environment where they can perform manual investigations and get immediate results.
In large-scale enterprise SOCs, where there is a massive and constant flow of alerts, we integrate into a much larger chain of products like SIEM, SOAR, and EDR to provide actionable context. But no matter how advanced the company’s security or how strong their automation is, manual verification is still essential, even more so in the age of AI.
Attackers now can generate countless sophisticated and convincing phishing variants in seconds. This is exactly why ANY.RUN’s solutions are where SOC teams go to get the real ground truth, remove uncertainty, and make final decisions about risk.
“No matter how advanced the company’s security or how strong their automation is, manual verification is still essential, even more so in the age of AI.”
Q: What is the ideal place for ANY.RUN in a modern SOC environment?
I’ve always wanted it to be a place where people actually feel comfortable and confident working, which is rare in this industry. Most security solutions can be sterile, exhausting, and quite dull.
I aim for ANY.RUN to be a burnout-free environment SOC teams actually want to return to because it reduces their fatigue and gives them certainty in their findings. We want to be recognized as one of the primary, essential locations in a SOC, and I’m really happy that clients confirm in their reviews that we’re succeeding in this. But we also know that it requires us to keep working hard to maintain that level of trust and responsibility.
“I aim for ANY.RUN to be a burnout-free environment SOC teams actually want to return to.”
Philosophy of Growth
Q: What were the biggest personal milestones and challenges for you during this journey?
I don’t really view our history through “big bang” milestones or singular moments of triumph. To me, the most important part of the journey has been the constant, incremental improvements we make every single day.
That said, there is one moment that really stands out to me. Just a couple of months after we released the paid version, the first company reached out and told us they wanted to buy an ANY.RUN subscription for 7 users on a three-year contract. It felt both exciting and overwhelming. I wasn’t sure if we were ready for that level of responsibility, but it made me very proud. It was the real validation that we were solving a genuine pain point for companies.
As for the biggest challenge, I would say it is always the next step right in front of us, especially since we usually have multiple development streams running at the same time.
Q: What’s your personal philosophy on growth and success after 10 years of building the company?
I don’t believe in the traditional cycle of setting a target, reaching it, and then stopping to rest before the next one. What works for me is simply moving forward step by step. I’m always in the middle of achievements, which means less rest but also constant progress. When you look back, you realize how far you’ve come.
The AI Landscape and ANY.RUN’s Biggest Competitive Advantage
Q: With AI dramatically lowering the bar for software development, what is ANY.RUN’s biggest competitive advantage today?
Modern AI can indeed recreate an interface or mimic basic detection logic, but it cannot copy ten years of community trust and human-driven telemetry.
Our real capital isn’t just the software, it’s the data moat we’ve built over a decade of focusing on the real needs of security professionals. Every day, more than 10,000 companies contribute valuable data to this ecosystem. Their analysts investigate the latest malware and phishing in the sandbox, which generates large volumes of unique telemetry on active threats.
In theory, AI could build a clone of our sandbox that looks just as good, or even better, but without the community-sourced threat data, it would be like a beautiful car with no gas.
Our “gas” is over 35,000+ daily human-driven investigations every day, creating a continuous stream of real-world threat intelligence. This data directly translates into faster detection, better context, and earlier understanding of emerging attacks for our paid clients, giving them a clear advantage against attackers.
That’s why we’ve been investing in and supporting the ANY.RUN community for 10 years, and it continues to be our number one priority.
“AI could build a clone of our sandbox that looks just as good, or even better, but without the community-sourced threat data, it would be like a beautiful car with no gas.”
Q: What’s your take on the idea of fully autonomous AI SOCs?
I see AI as a double-edged sword. It drives rapid innovation on both the attacking and defending sides of the cybersecurity landscape.
Yet, attackers will always be faster because defense must be massive and cover everything, while an attack only needs one successful vector to succeed. Criminals don’t just target systems; they target people. In a phishing attack, for example, they can leverage AI to craft a message designed to bypass another AI so that a human will eventually click on it.
Because of this reality, I believe the idea of a fully autonomous SOC where AI simply fights cyber threats without any human involvement is totally unrealistic. That is exactly the reason why, with the rise of AI threats, manual verification of alerts by SOC analysts is actually becoming more valuable than ever before. You need a person to validate what the AI might miss or what the attacker has specifically designed to appear benign to an automated filter.
Of course, many basic attacks can already be largely handled by AI, especially at the detection and initial triage stages. But as more attackers adopt AI, the volume of attacks grows exponentially, so even with higher automation, the total amount of work requiring human validation is likely to increase rather than decrease.
“With the rise of AI threats,manual verification of alerts by SOC analysts is becoming more valuable than ever before.”
Q: What are the main risks for companies that are trying to replace their Tier 1 analysts with AI?
I would say there are two core risks that companies often overlook.
First, as I said, if you rely solely on AI, attackers will eventually adapt their methods specifically to bypass those filters, and if you’ve removed the human element, you have no last line of defense.
Second is the “knowledge erosion” problem. Tier 1 is the essential training ground for future specialists; if you automate it entirely, where do your Tier 2 and Tier 3 analysts come from in a few years? You’ll eventually end up with a workforce that lacks foundational experience and “gut feeling” because they never “grew up” handling those initial, real-world alerts. Over time, this creates a structural risk where organizations lose their ability to investigate, contain, and respond to incidents effectively.
Q: Would you say the cybersecurity industry in 2026 actually needs more people than ever before?
Absolutely, and thinking otherwise is a self-delusion. While AI helps us automate certain tasks, it also allows attackers to scale the volume and complexity of their strikes exponentially.
AI doesn’t reduce the need for people in security. It increases the number of problems only people can solve. We’ve found that with the arrival of AI, the industry actually requires more skilled people to deal with the new categories of problems that AI-driven attacks are creating.
“AI doesn’t reduce the need for people in security. It increases the number of problems only people can solve.”
Looking Forward
Q: As you look forward, what are the key strategic tasks for ANY.RUN in the coming years?
Our main goal right now is to provide a powerful decision-making layer for SOC and MSSP teams. We want to bring all critical information together so analysts can move from alert to a final decision as quickly and easily as possible.
We will continue doubling down on our biggest advantage, the unique data we have, while expanding detection capabilities, scaling our infrastructure, and ensuring our solutions deliver real value to both analysts and the business.
Get Special ANY.RUN Offers Before May 31
To mark its 10th anniversary, ANY.RUN is offering special conditions for SOCs, MSSPs, and enterprise security teams that want to strengthen phishing analysis, threat intelligence, and response readiness.
Trusted by security teams worldwide, including 74 Fortune 100 companies, ANY.RUN helps organizations bring earlier threat visibility into the workflows where response decisions happen.
Special offers by ANY.RUN for threat analysis and intelligence solutions
Until May 31, teams can access anniversary offers across key ANY.RUN solutions, including:
Interactive Sandbox‘s Enterprise Suite plan to safely analyze suspicious links, files, emails, and phishing pages with behavior-based visibility, with bonus seats and exclusive pricing available for teams.
Threat Intelligence’s Complete plan with extra months to help teams connect single cases to related infrastructure, IOCs, campaigns, and broader threat activity.
This is a great opportunity to close social engineering blind spots, reduce gray-zone investigations, and give teams clearer evidence before trusted workflows turn into exposure.
Reduce the delay between detection and confident action. Get your ANY.RUN’s 10th anniversary special offer.
ANY.RUN delivers cybersecurity solutions designed to support security operations in businesses and organizations. The company’s goals is to help security teams understand threats faster, make informed decisions, and use threat intelligence across detection, investigation, and response workflows in SOCs and MSSPs.
The company’s solutions include Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions accumulating investigation data from 15,000+ SOCs for instant enrichment and early threat detection.
ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn threat analysis into clear, actionable evidence.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-27 13:06:362026-05-27 13:06:36Inside ANY.RUN’s 10-Year Evolution: An Interview with CEO Aleksey Lapshin
Security teams need high-quality, labeled datasets to train threat hunters and incident responders, validate detection logic, and develop robust analytic models.
EvidenceForge helps teams overcome the limitations of anonymized or stale public datasets, while avoiding the cost and complexity of setting up real infrastructure and performing manual attack simulations to create their own.
The tool incorporates sophisticated timing models and assigns specific roles to users and systems, generating realistic malicious activity, background noise, and “red herrings” to optimize data realism.
The tool generates correlated logs across 20+ Windows, Linux, and network monitoring formats using a canonical event model that ensures causal and temporal consistency.
Good data is hard to find… and to create
A lot of important work in security depends on having realistic log data to work with, and a lot of that work gets blocked, watered down, or quietly skipped because the data just isn’t available. The use cases come up constantly: teaching threat hunters, incident responders, and detection engineers with datasets that have known ground truth; validating that a detection fires on the right activity without drowning in false positives; and training ML models that need labeled, balanced, multi-source telemetry at scale.
These are different problems with the same root cause. You need realistic, labeled security logs and you can’t get them easily. The options are limited:
Real production telemetry is a compliance problem. Public datasets are often so heavily anonymized they no longer resemble the original log sources. The LANL dataset and OpTC are well-known examples of data scrubbed to the point of being generic event representations rather than actual telemetry. What isn’t anonymized is stale, narrow, and over-recycled.
You can generate data yourself using attack simulation frameworks like Atomic Red Team or MITRE Caldera, but that requires real infrastructure, is time-consuming to operate, and scales poorly when you need variety.
You can hire a red team, which trades complexity for money but still takes weeks and produces only the specific scenario they ran.
Synthetic generators seem like an obvious solution and manyexistingones are genuinely useful tools, but they share a common architectural limitation: They generate events independently, one format at a time, with no shared state across log sources. The result is datasets where events don’t tell a coherent story. For example, a process in Sysmon doesn’t connect to the same process in standard Windows logs, or a network logon doesn’t leave a consistent connection trace. More capable tools support attack chains and MITRE ATT&CK mapping, but even then, they generate individual events rather than simulating something that happened, with all the prerequisite and consequent evidence that real activity would produce. Realistic background noise is largely absent.
What analysts detect when they call data synthetic is the absence of a coherent causal story. The logs don’t line up because they emit each log entry independently from the others, and they are not modeling a series of connected events.
The answer: A new kind of synthetic data
EvidenceForge is a new open-source project from Cisco Talos that approaches the problem differently. It features a single canonical event model, causal ordering, realistic background noise, and AI-assisted scenario authoring. The result is a synchronized dataset across 20+ log formats (Windows, Linux, network, and endpoint detection and response [EDR] telemetry), complete with ground truth documentation and an analyst briefing.
One honest note: No purely synthetic dataset will fool a seasoned analyst in every case, but that’s okay. The goal is fidelity that’s good enough to be useful, not something that’s indistinguishable from production.
The core idea: One event, many formats
Most synthetic log generators are a collection of independent emitters. Each one knows how to produce its own format but doesn’t share state with the others. You can see the seams the moment you cross-reference across sources.
EvidenceForge inverts that. Every piece of evidence flows from a single canonical SecurityEvent object. That object carries a timestamp and event type, plus over 30 composable context objects populated as needed: ProcessContext (PID, parent PID, image, command line), NetworkContext (src/dst IP and port, Zeek UID, shared across Zeek, EDR, and SNORT®), AuthContext (username, LogonID, logon type, result), DnsContext and HttpContext (protocol-layer detail that fans out into the corresponding Zeek log types), and many more. Emitters read only the fields relevant to their format.
The consequence of shared contexts is that emitters cannot disagree. There is one PID, one LogonID, one timestamp, and one Zeek UID. The engine is also OS-aware: Windows hosts produce Security Events and Sysmon while Linux hosts produce syslog and bash history, each according to the OS assigned to each host in the scenario.
All of this is driven by a scenario configuration file: a YAML document describing the environment (hosts, users, network topology) and an optional attack storyline. The engine reads that file and produces the correlated dataset.
What the engine produces
From a single scenario, EvidenceForge generates several correlated log formats:
Windows Security Events (30 event IDs covering authentication, process lifecycle, Kerberos, persistence, account management, and more)
Sysmon (10 event IDs)
EDR/XDR telemetry
Linux syslog
bash history
Zeek logs in JSON format
Snort IDS alerts
Firewall logs
Web server access logs
Forward HTTP proxy logs
The exact output logs depend on a combination of the components in the simulated environment, and which log sources you may have opted to disable.
Every attack scenario also produces two companion documents.
“ENVIRONMENT.md” is an analyst briefing consisting of organizational context, network layout, user roles, naming conventions — everything an analyst would need before diving into the logs, with zero information about the attack itself.
“GROUND_TRUTH.md” documents exactly what happened including a narrative, a timeline, and key IOCs.
Causality, not just sequence
Real logs are both temporally and causally ordered. Before a domain logon, there’s a Kerberos TGT, then a TGS. Before a TCP connection to a hostname, there’s a DNS query. This is the physics of how the protocols work.
EvidenceForge ships with a composable rule engine that auto-generates prerequisite events with realistic timing offsets so that each event sits exactly where an analyst would expect to pivot to it:
A logon in the scenario expands to the Kerberos exchange that made it possible.
A connection to a named host gets the DNS resolution inserted beforehand.
A privileged admin command generates downstream audit events.
Network visibility is a first-class concept
Most synthetic generators are too visible, meaning that every connection gets a log, regardless of whether a sensor would have seen it. Real networks don’t work that way. Traffic between hosts on the same VLAN may never cross a SPAN port. East-west traffic in a segmented network may be invisible to perimeter sensors. A TAP at the internet edge sees outbound traffic but nothing internal.
EvidenceForge lets you declare sensor placement in the scenario: SPAN or TAP, monitored segments, and direction. The engine determines which connections each sensor could realistically observe and only emits network logs where they’d actually appear. If your environment has a monitoring gap, the generated data has that same gap, which is exactly the kind of thing analysts need to learn to reason about.
AI co-develops the story; a script generates the evidence
The hard part of realistic synthetic data is scenario design, not generation. Describing a coherent attack lifecycle with the right tactics, techniques, and procedures (TTPs); realistic sequencing; and plausible actor behavior requires research and protocol knowledge most people don’t carry in their heads.
EvidenceForge addresses this with Claude/Codex skills. You bring intent (an attack type, an environment, a training objective), the AI brings research and technical scaffolding (a guided interview, MITRE ATT&CK TTP research), and together you collaboratively develop the attack narrative, resulting in a validated YAML scenario file.
The YAML is version-controllable, shareable, and editable. Once it exists, generation is entirely deterministic: a Python script reads the config and produces all the correlated log evidence.
This separation is the optimal balance of what each technology is good at. AI excels in narrative coherence, TTP research, and protocol knowledge. A deterministic script excels at the thousands of cross-referenced field values, causal prerequisite chains, and inter-format consistency checks that make up a realistic dataset. This would overwhelm even a capable LLM at scale, and hallucinated field values or subtle inconsistencies would undermine the whole point.
A typical scenario costs pennies in API calls to co-develop, and the data generates in seconds or minutes rather than the hours or days an LLM-based approach would require. EvidenceForge also produces identical output every run because randomness is seeded. Built-in validation checks the scenario for schema correctness and cross-reference integrity before generation runs, and the AI can automatically fix most errors it finds.
Making the background convincing
Attack events are only useful if analysts have to work to find them. Noise quality matters as much as signal quality.
EvidenceForge’s baseline engine generates several types of realistic background noise, including:
Legitimate lateral movement patterns (backup agents, monitoring tools, AD replication, application-to-database traffic)
User and application-driven network activity (web browsing, SMB file share access, RDP sessions, scheduled service polling)
Per-user diversified command pools, depending on user role
Red herrings (suspicious-looking events or patterns that are benign)
Timing is just as important as content. Volume-level realism without burst-level texture still looks synthetic. EvidenceForge uses three complementary timing models:
A Hawkes process for user activity, a self-exciting model where each event makes the next more likely for a short window, then decays, matching how people actually work in bursts
A periodic envelope for large-scale structure (Monday login storms, Friday drop-off, and near-zero weekends)
Periodic intervals plus jitter for modelling recurring automated events like scheduled tasks, background updates, and other system and service traffic
Most timing details are exposed in the scenario or engine config files, so you can tweak them to make them as realistic as you like for your simulated environment.
Getting started
EvidenceForge is available on GitHub. Clone the repo and follow the install instructions in the README.
The core experience is a guided conversation. Start the /eforge:scenario command and describe what you want. You can be as specific or as vague as you like. Bring a fully formed scenario and the AI helps translate it into a valid configuration; bring a rough idea and it asks the right questions, fills in the gaps, and makes suggestions until you have something technically coherent and satisfyingly realistic. From there, the skill leads you through validation, generation, and a brief automated data quality evaluation. You come out the other end with a complete, correlated dataset and companion documents. A full CLI is also available for scripted workflows.
What will you build?
EvidenceForge removes the data bottleneck. The question becomes what you do with that. The following are just a few examples:
Build a SOC analyst training program with scenarios tailored to your environment.
Test detections against controlled, labeled datasets before they go near production. See whether they fire on the attack and how they behave against realistic noise.
Generate the labeled training data your ML model needs.
Stress-test a new SIEM or detection pipeline against volume and variety you control.
Create repeatable practice exercises that can be regenerated on demand after tuning.
The scenarios themselves are shareable artifacts. A scenario developed for one team can be shared, adapted, or built on by others. The right mental model is high-fidelity training and testing data — not a production telemetry substitute — but within that framing, the use cases are broad.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-27 07:06:462026-05-27 07:06:46BTMOB: A stealthy RAT burrowing deep into Android devices
May 2026 showed how fast routine business activity can turn into real security exposure. ANY.RUN observed phishing campaigns, fileless malware delivery, credential theft, OTP interception, and remote access abuse targeting organizations across industries.
From fake invitations and banking portals to compromised B2B websites and Word Online lures, the month’s attacks had one thing in common: they were built to look normal long enough to delay detection.
Here are the major attacks from May and what SOC teams should take away from them.
Key Business Risks That Stood Out in May Attacks
The most important lesson from May’s attacks is that many of these campaigns were designed to hide inside normal business activity long enough to create real exposure.
Phishing turned into direct access risk: May campaigns did not stop at fake login pages. They led to credential theft, OTP interception, remote access tool installation, and possible account takeover.
Trusted workflows became attack paths: Fake invitations, Word Online pages, banking portals, legitimate B2B websites, and RMM tools helped attackers lower suspicion and delay detection.
Fileless and browser-based techniques reduced visibility: Blob-generated pages, injected scripts, PowerShell execution, and in-memory payloads made some attacks harder to catch with traditional file or network-based controls.
Credential theft created broader business exposure: Stolen email, browser, banking, and session data can open the door to BEC, fraud, SaaS compromise, supplier risk, and lateral movement.
Delayed certainty became the biggest SOC problem: When teams cannot quickly confirm whether access was stolen, remote access was installed, or C2 activity happened, response slows and business risk grows.
Strengthen your entire SOC with Enterprise Suite. Get special 10th Anniversary offers from ANY.RUN.
May’s campaigns were concentrated around the business functions and user groups that attackers can use to reach valuable accounts, financial workflows, and internal systems. For CISOs, this helps show where security reviews, detection coverage, and response playbooks should be prioritized first.
Target Area
What Attackers Focused On
Finance and banking users
Banking login flows, customer account access, and payment-related interactions.
Procurement and payroll teams
Employees handling invoices, purchase orders, payroll files, and supplier communication.
Corporate email users
Business inboxes, Microsoft 365 accounts, webmail access, and internal communication channels.
IT and support workflows
Remote support processes, software installation flows, and admin-adjacent activity.
Employees using business websites
Everyday browsing activity on legitimate or familiar-looking websites.
SaaS and cloud account users
Accounts connected to business apps, shared data, and company operations.
High-exposure industries
Finance, banking, healthcare, manufacturing, technology, education, and government.
1. Routine Invitations Created High-Impact Access Risk for U.S. Organizations
In May, ANY.RUN tracked a fake invitation phishing campaign targeting U.S. organizations. The attack used familiar event-style lures to guide users through what looked like a normal invitation flow. Behind that flow, attackers could move victims toward credential theft, OTP interception, and in some cases remote access tool delivery.
This campaign shows how a simple business interaction can turn into an access incident. The user does not need to open an obviously malicious file or interact with a suspicious-looking page. They only need to follow an invitation that feels familiar. From there, the risk can expand from one employee action to exposed credentials, compromised mailboxes, unauthorized remote access, and wider business exposure.
CISO priority: Security leaders should treat fake invitation flows as more than phishing noise. These attacks test whether the SOC can connect email, browser, identity, and remote access signals fast enough to understand real exposure. ANY.RUN helps teams safely open the full flow, observe credential and OTP collection, identify possible remote access tool delivery, and pivot to related infrastructure before the same campaign reaches more users.
2. Business Document Lures Put LATAM Enterprises at Credential Theft Risk
ANY.RUN also analyzed an Agent Tesla campaign targeting enterprises in Latin America. The attack used familiar business-document themes, including purchase orders, invoices, payroll files, and procurement requests, to reach employees who regularly work with external files and supplier communication.
This type of attack goes after the business functions where one stolen credential can quickly create financial and operational exposure. If attackers gain access to email accounts, browser credentials, FTP logins, or other stored data, the risk can move beyond one infected endpoint. It can support BEC, supplier fraud, cloud account compromise, and wider access across company systems.
Business risk to reduce: Finance, procurement, and payroll inboxes should be treated as high-risk business entry points. A suspicious invoice or purchase order is not only an attachment problem; it may be the first sign of credential theft that can later support fraud or unauthorized access. With behavior-based sandbox analysis, teams can quickly confirm whether a file executed, what data it tried to collect, and which accounts need immediate protection.
May also showed how legitimate B2B websites can be abused to deliver malware without relying on obvious malicious files. In this activity, attackers used compromised websites and injected scripts to move users toward PowerShell execution, in-memory payload delivery, and outbound C2 communication.
This is dangerous as the attack starts from a place employees may already trust. The website can look legitimate, the traffic may not stand out at first, and the malicious activity becomes clearer only later in the chain. For enterprises, that means a normal browsing session can turn into fileless execution before the SOC has enough evidence to react.
Reduce the delay between detection and action
Get Enterprise Suite with a special offer until May 31.
Detection gap to close: This is where reputation-based controls are not enough. A known business website can still become part of the attack chain, and fileless execution may leave fewer obvious artifacts for Tier 1 teams to catch. ANY.RUN gives analysts a way to see what happens after the page loads: script behavior, PowerShell activity, memory execution, process injection, and C2 communication. That turns a suspicious browsing event into a response-ready case.
4. OTP Phishing Showed How Fast Financial Access Can Be Weaponized
ANY.RUN tracked a large-scale phishing campaign impersonating a U.S. financial institution. The campaign used a multi-step flow to collect usernames, passwords, OTP codes, and email verification data. Its infrastructure was also highly reusable, with hundreds of related phishing domains already identified.
Technical details of the large-scale OTP phishing campaign
This attack highlights a dangerous shift: MFA does not remove phishing risk when attackers can intercept OTPs in real time. Once users submit credentials and verification codes, attackers can move closer to account takeover, fraud, and unauthorized access before security teams have a clear picture of what happened.
For enterprises, the lesson goes beyond one banking-themed campaign. Any organization that relies on login codes, email verification, or user-driven authentication flows needs to understand where those flows can be copied, replayed, or abused.
MSSP priority: The priority is to move from single-alert handling to campaign-level detection. Blocking one domain will not stop an operation built on reusable templates and rotating infrastructure. ANY.RUN Threat Intelligence helps MSSPs connect related phishing pages, infrastructure, and recurring artifacts, so teams can prove whether authentication data was exposed and help clients act before stolen access becomes fraud or account takeover.
5. Fake Word Online Lures Turned Document Access into Remote Control
Another May attack started with an Outlook email and redirected users to a fake Word Online / OneDrive-style page. Instead of pushing an obvious malware download, the chain moved through software installation stages and eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools.
This is the kind of attack that creates real confusion inside security operations. On the surface, the user is trying to open a business document. Deeper in the chain, the attacker is setting up remote access through tools that may look similar to normal IT or support activity.
For MSSPs, this is especially dangerous as one alert may not immediately look like a full compromise. A fake document page, a silent installer, an RMM tool, and concealment activity may appear as separate weak signals unless the team can connect them fast.
Access question for leaders: This attack should push CISOs and MSSPs to ask a harder question: not “Did malware run?” but “Did someone gain hands-on access to the environment?” Remote access abuse is dangerous because it can look close to legitimate IT activity while giving attackers a path back into the network. Teams should expose the full chain from phishing page to installer behavior, RMM deployment, concealment activity, and follow-on access signals to can contain the access path before it becomes persistence.
6. BlobPhish Exposed a Blind Spot in Browser-Based Credential Theft
May also brought attention to BlobPhish, a credential-phishing campaign targeting Microsoft 365, major U.S. financial institutions, and webmail services. Instead of loading a phishing page in the usual way, the attack generated the page directly inside the browser using blob objects, keeping the malicious content in memory.
This matters as many phishing defenses still depend on what can be seen in the email, URL, or network request. BlobPhish weakens that visibility. The page can appear after the browser builds it locally, which makes the attack harder to judge using traditional signals alone.
For CISOs, this creates a dangerous gap between what the user experiences and what the security stack can clearly prove. For MSSPs, it raises the investigation burden across clients: teams need to understand not only where the user clicked, but what the browser created after the click.
Visibility gap to close: BlobPhish shows why phishing response cannot stop at URL checks. The real danger is the gap between what the user sees in the browser and what security teams can prove afterward. ANY.RUN allows teams to reproduce the browser-side flow safely, observe how the phishing page is generated, and capture the credential-theft behavior that may not be visible through standard inspection alone. For CISOs and MSSPs, this closes a critical evidence gap before stolen accounts turn into BEC, SaaS compromise, or client-wide exposure.
Give Your SOC the Visibility May’s Attacks Demand with Enterprise Suite
May’s attacks made one thing clear: the earliest signs of compromise are often hidden inside normal workflows. A user follows an invitation, opens a supplier file, visits a trusted website, enters an OTP, or previews a document, and the SOC may only see scattered signals until the risk has already moved forward.
Outcomes reported by teams using ANY.RUN’s Enterprise Suite
That is where ANY.RUN Enterprise Suite gives security leaders stronger control. Teams get full sandbox functionality, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and TI Lookup & YARA Premium to validate threats faster and investigate sensitive cases without losing visibility or control.
Stengthen your SOC with ANY.RUN’s special offers available until May 31
With these capabilities, enterprise teams can:
Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time.
Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved.
Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access.
Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history.
Strengthen detection coverage with TI Lookup & YARA Premium to connect related infrastructure, IOCs, and attack patterns.
Support enterprise-scale response with longer VM timeout and analysis across major operating systems.
ANY.RUN’s 10th-anniversary special offers are available until May 31, making this a timely opportunity for SOCs, MSSPs, and enterprise security teams to expand threat analysis and intelligence capabilities, reduce investigation delays, and respond with more confidence.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC, MSSP, and enterprise security teams detect threats earlier, and investigate incidents faster.
With its Interactive Sandbox, Threat Intelligence Lookup, TI Feeds, and YARA Search, ANY.RUN gives teams the visibility they need to analyze suspicious files, URLs, scripts, phishing pages, and malware behavior in real time. Security teams can safely observe full attack chains, extract IOCs, investigate related infrastructure, and turn unclear alerts into evidence they can act on.
Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN supports faster triage, stronger threat visibility, and more confident response across modern SOC workflows.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-26 12:06:382026-05-26 12:06:38Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-23 08:06:372026-05-23 08:06:37Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise
Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.
This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.
What is BootROM?
To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.
The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.
This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.
Emergency Download Mode as an entry point
The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.
Sahara is implemented directly within the ARM PBL (Primary Boot Loader) — the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.
The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.
Write-what-where: the core of the vulnerability
In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.
Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.
Which devices are affected
The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 — every single version released to date, until the vulnerability is patched by the manufacturer.
These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones, while the SDX50 is used in automotive control units.
How vulnerable devices get attacked
The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:
Smartphone repairs at third-party repair shops, where the phone is left for several hours
Customs checkpoints in certain countries, where devices are withheld, inspected, and then returned
Lost and found scams, where your phone is stolen, tampered with, and then mysteriously found
Corporate espionage via an insider or a rogue employee
With just a few minutes of physical access to the device an attacker can plant a backdoor so deep inside that standard research tools won’t even detect it in most cases.
Why there’s no patch — and what to do
Qualcomm was notified of the discovery in March 2025 and confirmed the vulnerability in its chips. To identify it, the vendor reserved CVE-2026-25262, and on April 20, 2026, Kaspersky ICS CERT published technical information on the vulnerability and recommendations for users.
Qualcomm included this vulnerability in its May security bulletin. While fixing already-made devices is fundamentally impossible, the company promised to make all future chips without this vulnerability.
If you currently own a device with an affected chip, use our recommendations below to help mitigate the risk of infection.
Enforce strict physical control: don’t leave your devices unattended, especially when traveling or on business trips.
Choose only authorized service centers for repairs and maintenance.
Regularly update your firmware — this won’t patch the BootROM vulnerability, but it can eliminate many related vulnerabilities at higher levels.
Use a Kaspersky for Android on your device. This will safeguard your gadget from other threats that, combined with this vulnerability, could lead to unpredictable consequences.
If you notice that your gadget with a vulnerable Qualcomm chip starts acting up — overheating when idle, reporting unexpected spikes in network traffic, or exhibiting strange app behavior — you may have fallen victim to this vulnerability. You can wipe the malicious code and reset your device to its baseline state simply by completely cutting its power. This means either pulling the battery or letting it drain all the way to zero until the gadget shuts down entirely. In this case, the malicious code will most likely not persist on the device — during our research, we were unable to confirm that it could achieve persistence in non-volatile memory.
Want to learn more about severe vulnerabilities in Android phones? Check out these posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-23 06:12:052026-05-23 06:12:05Breaking down the new Qualcomm chip vulnerability | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
“It takes very little to govern good people. Very little. And bad people can’t be governed at all. Or if they could, I never heard of it.” ― Cormac McCarthy, No Country for Old Men
Most of my career has been built on dichotomy: striving to be a supportive teammate while also pushing every boundary in front of me. I’ve often been told to “never do X, only do Y,” but I’ve invariably chosen to do X anyway (even when fraught with peril) to get to the deeper answer. For years, I was told that I should perform in certain ways — instead of in ways that made sense for my brain and way of learning.
I wasn’t governable, but I wasn’t bad. Just … challenging. While Sheriff Ed Tom Bell’s view of good vs. bad is compelling, maybe our careers should be defined as “acquiescent” vs. “challenging.” It’s less of an existential crisis that way.
Over the past few years, I’ve been enjoying the mentoring aspect of my career. One of the things that I love to share with people is that being ungovernable is very challenging early in career; it’snot a favorite of middle management, but it can take you to places that you really want to be (i.e., Talos). The road is going to be longer and much bumpier than your governable cohort, but this is the long con.
The path to Talos was long and arduous, but I’ve learned to make my career choices through the lens of the axiom, “If you’re the smartest person in the room, you’re in the wrong room.” It’s been the only guidepost I’ve needed. I don’t know that it applies to everyone, because everyone is unique, but it absolutely helps me decide what I want to learn, what I want to dive into, who I want to surround myself with.
The secret lies in the last comment — it’s the people. If you continue to search for the smartest people in the room, you’ll find it and when you do, you’ll find that you aren’t ungovernable — rather, you’re understood. Be ungovernable (but kind) in the short term, find new ways to solve problems, think around solutions in new ways, program in different languages, and be the person in the meeting that says, “I think we should do Y instead, and here’s why.”
I suspect that this is the same approach many of you already take in your daily roles when identifying threats vs. benign activity, choosing your pivots in hunting, or deciding the priorities in device replacement. It’s a natural direction for the intellectually curious, so be kind, but ungovernable.
“The future of intelligence must be about search, while the future of ignorance must be about the inability to evaluate information.” ― Patricia Lockwood, No One Is Talking About This
The one big thing
Cisco Talos has recently discovered a commodityBadIISmalware variant fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups. Identifiable by its embedded “demo.pdb” strings, this toolset boasts a multi-year development cycle complete with builder tools and persistence mechanisms. Threat actors are leveraging this robust framework to easily execute malicious search engine optimization (SEO) fraud, hijack server content, and redirect traffic to illicit sites.
Why do I care?
This is a highly active, commercially driven malware ecosystem. The author constantly pushes rapid updates to introduce new features and actively evade specific security vendors, making it a persistent headache for defenders. Because this BadIISvariant is sold as a commodity tool, it lowers the barrier to entry for cybercriminals, leading to widespread attacks that silently hijack server traffic without triggering obvious alarms.
So now what?
Defenders should actively monitor IIS environments for unauthorized traffic redirection, unexpected reverse proxying, or sudden spikes in “503 Service Unavailable” errors. Threat hunting efforts should also target the distinct “demo.pdb” strings and associated Chinese-language folder paths within IIS binaries. Ensure your endpoint detection solutions are updated to catch these reactive evasion tactics, and read the full blog for complete coverage and indicators of compromise (IOCs).
Top security headlines of the week
CISA exposes secrets, credentials in “private” repo A researcher discovered a public GitHub repository belonging to CISA that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. (Dark Reading)
NYC Health + Hospitals says hackers stole medical data and fingerprints, affecting at least1.8 million people The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. (TechCrunch)
Bug bounty businesses bombarded with AI slop Companies that pay hackers to find flaws in their software are being inundated with low-quality (often false) reports generated by AI, forcing some to suspend the programs altogether. (Ars Technica)
FourOpenClawflaws enable data theft, privilege escalation, and persistence The vulnerabilities, collectively dubbed Claw Chain, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. (The Hacker News)
New NGINX vulnerability allows remote attackers to trigger malicious code A new vulnerability in NGINX JavaScript (njs) allows unauthenticated remote attackers to trigger a heap‑based buffer overflow that can lead to denial‑of‑service and, in some conditions, remote code execution in the NGINX worker process. (Cyber Security News)
Can’t get enough Talos?
TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital’s Norton VPN. The vulnerabilities have been patched by their respective vendors.
Webinar: AI found the problem. Now what? Experts from Talos and Cisco Security will examine how AI is changing the game for both defenders and well-resourced adversaries, and why the most persistent risks often remain rooted in unpatched legacy systems.
Breaking things to keep them safe with Philippe Laulheret From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-21 18:07:202026-05-21 18:07:20The art of being ungovernable
We’ve written time and again about how QR codes are used in phishing schemes. Our secure email gateway solution even includes technology to read these codes — not just from emails, but also from attachments — and check the embedded links. Yet, attackers haven’t given up on trying to send QR codes to their victims. Lately, we’ve increasingly seen them use ASCII art for this purpose — images composed of characters. This seems particularly ironic considering that phishers once tried to evade link scanning by hiding links in images, and now they’re trying to dodge image scanning by going back to text. But with a few twists.
The lost art of ASCII, and how attackers use it
It’s hard to believe today, but there was a time when computers couldn’t display graphics. Consequently, the very first computer images were constructed from text characters. Following the adoption of the standard in 1963, characters from the ASCII (American Standard Code for Information Interchange) set were used for this type of artwork to ensure that images looked the same across different computers. Over time, other text symbols (for example, from the extended Unicode set) began to be used to create images, but the name “ASCII graphics” remained the term used to describe this art form as a whole. There were serious artists working in this medium, the earliest websites were designed with ASCII art, and even the first computer pornography was rendered with text characters.
As image display technology evolved, ASCII art began to fall out of fashion. It saw a major resurgence in the 2000s during the heyday of email spam. Back then, spammers primarily used it because it allowed them to disguise blatant spam keywords that could trigger mail filters, while also placing less load on mail servers than images. Additionally, since many users paid for volume of internet traffic at the time, they often disabled image loading in their email clients. Naturally, at that time, we augmented our email security solutions with technology specifically designed to block ASCII art.
Now, ASCII art has been rediscovered — this time by those looking to bypass technology that recognizes QR codes within images.
What does ASCII art phishing look like?
Here’s a recent example. The pretext itself is pretty run-of-the-mill: someone has supposedly sent to victim a confidential document via DocuSign, but to open it the recipient needs to scan the QR code in the email to visit a website and enter corporate login credentials.
A QR code rendered with unicode characters. We’ve blurred out a portion of the code to prevent the malicious link from being scanned.
Admittedly, the code looks weird. This is primarily because it’s drawn piece-by-piece in pseudo-graphic elements, and even the gaps between the lines can be seen. In reality, there’s no actual image in the e-mail message code; the QR code looks something like this behind the scenes:
ASCII art inside the email code
As a result, link scanners can’t see the link, and image analysis tools can’t find the URL hidden inside the QR code, so the attackers assume the phishing email is going to reach the victim just fine. Spoiler alert: no, we haven’t forgotten how to block ASCII art.
Is a QR code in an email even normal?
In theory, there are situations where using a QR code makes sense. It’s a fairly convenient way to share contacts, a link to a mobile app, a map location, or a configuration. In other words, it works well whenever information needs to be delivered specifically to the recipient’s mobile device.
However, someone using a QR code to make you enter corporate credentials on a mobile device is an instant red flag. And when that QR code is generated with ASCII art, it’s clearly a phishing attempt or an effort to lure you to a malicious URL. This trick can only have one purpose — an attempt to bypass security controls.
Additionally, we recommend regular security awareness training to educate employees on modern phishing tactics. Specifically, to explain that ASCII art in modern emails can be a telltale sign of an attempted phishing attack.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-21 06:06:332026-05-21 06:06:33ASCII art in phishing emails | Kaspersky official blog
