Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” 

In this month’s release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven “critical” entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate. 

CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is “less likely.” 

CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is “less likely”.  

CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is “more likely”.  

CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely.” 

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are “use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a “type confusion” vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim’s machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is “low,” and exploitation is “more likely.” For CVE-2025-47953, the attack complexity is “low,” and exploitation is “less likely.”  

Microsoft listed two critical elevations of privilege vulnerabilities. 

CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely.”  

Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.  

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that exploitation is “more likely:” 

• CVE-2025-32713 – Windows Common Log File System Driver Elevation of Privilege Vulnerability. 
• CVE-2025-32714 – Windows Installer Elevation of Privilege Vulnerability. 
• CVE-2025-47962 – Windows SDK Elevation of Privilege Vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.  

Cisco Talos Blog – ​Read More

Gen Z, or “Zoomers”, are those born between ~1997 and 2012. That’s a 15-year age gap between the oldest and youngest. So what could they possibly have in common? Well, every member of Gen Z is a digital native. They barely remember a time before computers, smartphones, and social media. More than any other generation, Gen Z loves games (especially our own — Case 404 — we hope!), TV shows, and movies. Sometimes, they even shape their identities by constantly connecting with their favorite characters. Naturally, this level of immersion makes them a prime target for malicious actors.

Kaspersky experts have released two reports detailing how cybercriminals target Gen Z through their love of games, movies, TV shows, and anime. Check out the full versions of the first and second reports to dive deeper.

How gamers get attacked

In the one-year period from April 1, 2024, we recorded at least 19 million attempts to distribute malware disguised as games popular with Gen Z. The top three games targeted by these attacks were GTA, Minecraft, and Call of Duty, together accounting for a staggering 11.2 million attempts. So, why are these particular games at the top of both gamers’ and cybercriminals’ lists? We just might know the reason. They’re replayable; that is, players can dive back in any time and still get a fresh experience. Besides, these titles boast massive online communities. Players are constantly creating content, making mods, and searching for cheats and cracked versions.

One of the most common threats facing Gen Z gamers is phishing — where cybercriminals impersonate a trusted entity and tempt players with promises of free in-game rewards to lure them into sharing personal data. Enticing trade offers and easy ways to earn money are some of the most popular tricks used against gamers.

We uncovered a phishing site that looked eerily similar to a legitimate Riot Games campaign. The campaign aimed to blend two different universes: the game Valorant and the animated series Arcane. Players were invited to “spin the wheel” for a chance to win exclusive new skins. In reality, gamers who participated in this “contest” essentially handed over their gaming accounts, banking details, and phone numbers to third parties. Of course, they received no skins in return.

A beautiful background and recognizable characters — what more do you need to fall for a scam?

But it’s not just about scams. In November 2024, our experts from the Global Research and Analysis Team (GReAT) uncovered a campaign where attackers were distributing the Hexon stealer disguised as game installer files. Once installed, this malware attacked gaming platforms; for example, it could extract user data from Steam. On top of that, Hexon targeted messaging apps like Telegram and WhatsApp, and other social media platforms, such as TikTok, YouTube, Instagram, and Discord.

These fake installers flooded gaming forums, chats on Signal and Telegram, Discord channels, and popular file-sharing sites. The cybercriminals promoted the Hexon stealer using a malware-as-a-service model, where some malicious actors provide malware to others — often less tech-savvy ones — for a fee.

Example of attackers’ message in a Discord channel

Interestingly, a short while later, the creator of Hexon announced a rebrand. The stealer was now called “Leet”, and was offered at a 50% discount. Unlike its predecessor, the updated version can bypass sandboxes by checking the infected device’s public IP address and system specifications. If the stealer detects signs of being in a virtual machine, it shuts down immediately.

How movie, TV show, and anime fans get attacked

We dug into some data provided by the Kaspersky Network Security (KSN) — our global threat intelligence network which processes cyberthreat information from every corner of the world. We analyzed the data for the same one-year period starting April 1, 2024, and here’s what we found:

• Netflix was dangled as bait in about 85 000 attacks. That’s nearly 233 times a day.
• Gen Zers aren’t the only ones passionate about anime. Cybercriminals are big fans too, with 250 000 attacks recorded during the reporting period.
• The total number of leaked streaming-service accounts exceeded seven million.

When it comes to the most exploited streaming platforms, alongside Netflix, we found Amazon Prime Video, Disney+, Apple TV+, and HBO Max at the top of the list. Scammers used these brand names in their campaigns throughout the year, with no significant peaks or troughs in popularity. Mostly, they used a classic approach: sending phishing links to fake websites while pretending to represent a streaming platform. The pretexts, however, varied. In some instances, attackers would prompt users to renew their subscriptions or update payment details — only to direct them to a fake site to do so. Such emails often mimicked the streaming service’s official style, making it easy to miss the red flags.

Phishing website imitating the official Netflix page

Beyond just harvesting personal data, these bad actors also distributed various malware. RiskTool was a big one, accounting for around 80% of all attempts. While not malicious on its own, it’s often used in conjunction with other threats, such as miners, helping them conceal their presence in the infected system.

Many of the attacks were designed to steal users’ personal information. We uncovered roughly seven million compromised accounts across Netflix, Amazon Prime Video, Disney+, Apple TV+, and HBO Max. Stolen accounts are typically used by cybercriminals to spread phishing links and malware to more users, or they’re sold off to other malicious actors at a low price.

Anime fans weren’t spared by the digital villains, either. Unsurprisingly so — recent data shows that over 65% of Gen Z watch anime. To gauge just how often attackers targeted fans of Japanese animation, we focused on five popular anime titles: Naruto, One Piece, Demon Slayer, Attack on Titan, and Jujutsu Kaisen. We recorded over 250 000 attack attempts centered around just these five titles. The undisputed leader? Naruto, with over 114 000 attempts.

How Gen Zers can stay cybersafe

Zoomers should protect themselves in the same way as everyone else who enjoys TV shows, games, movies, and anime, and is generally active online. Here’s a short list of the “golden rules” to help protect your accounts, banking details, and devices from prying eyes.

(If you want to learn more about cybersecurity, try your hand as a detective in our new, free browser-game, Case 404. It features three storylines, each showing what can go wrong when you skip out on proper digital hygiene. But for now, let’s get back to those rules.)

• Stick to official sources when downloading games, TV shows, and anime. Seriously, ditch the torrents, sketchy third-party sites, and random links strangers share on forums and in chats. And here’s a heads-up: even official game stores can sometimes get infiltrated by malware. To learn more, read Gamers beware: Trojans have invaded Steam.
• Enable two-factor authentication (2FA) everywhere you can. By the way, tokens can be conveniently stored in Kaspersky Password Manager.
• Remember the adage about a free lunch? Yep — there’s no such thing. Be skeptical of giveaways of skins, cheats, in-game currency, or supposedly leaked episodes of your favorite TV show or anime.
• When you’re paying online, only use virtual cards with spending limits. That way, your main bank account stays safe — even if something goes sideways.
• Use robust security. A security solution will warn you when you’re about to open a phishing website, and help you detect threats in time, even if they’ve already made their way onto your device.
• Read the full reports on attacks targeting Gen Z. The report on movies, TV shows, and anime is here, and the one on gaming attacks can be found here.

The last, but perhaps one of the most important, rules is to stay one step ahead. Subscribe to our Telegram channel to make your online life safer.

How else attackers target Gen Z as well as other demographic groups:

• Arcane stealer instead of Minecraft cheats
• Phishing in Netflix and beyond
• Steam and mirrors: how gamers get duped
• How (not) to play tanks and catch a backdoor
• What happens if you download a cracked program?

Kaspersky official blog – ​Read More

According to OpenLogic’s “State of Open Source” report, 96% of surveyed organizations use open-source solutions (OSS). Such solutions can be found in every segment of the IT market — including infosec tools. And they’re often recommended for building SIEM systems.

At first glance, OSS seems like a great choice. A SIEM system’s primary function is systematic telemetry collection and correlation, which you can set up using well-known data storage and processing tools. Just gather all your data with Logstash, hook up Elasticsearch, build the visualizations you need in Kibana — and you’re good to go! A quick search will even get you ready-made open-source SIEM solutions (often built on the same components). With SIEMs, adapting both data collection and processing to your organization’s specific needs is always key, and a custom OSS system offers endless possibilities for that. Besides, the license cost is zero. However, the success of this endeavor hinges on your development team, your organization’s specifics, how long your organization is willing to wait for results, and how much it’s ready to invest in ongoing support.

Time is money

A key question — one whose importance is consistently underestimated — is how long it’ll take before your company’s SIEM not only goes live but actually starts delivering real value. Gartner data shows that even a fully-featured, ready-made SIEM takes an average of six months to fully implement — with one in ten companies spending a year on it. And if you’re building your own SIEM or adapting an OSS, you should expect that timeline to double or triple. When budgeting, multiply that time by your developers’ hourly rates. It’s also hard to imagine a full-fledged SIEM being  by a single talented individual — your company will need to maintain an entire team.

A common psychological pitfall is being misled by how fast a prototype comes together. You can deploy a ready-made OSS in a test environment in just a few days, but bringing it up to production quality can take many months — even years.

Skill shortages

An SIEM needs to collect, index, and analyze thousands of events per second. Designing a high-load system, or even adapting an existing one, requires specialized and in-demand skills. Beyond just developers, the project would need highly skilled IT administrators, DevOps engineers, analysts, and even dashboard designers.

Another kind of shortage that SIEM builders have to overcome is the lack of hands-on experience needed to write effective normalization rules, correlation logic, and other content that comes out of the box in commercial SIEM solutions. Of course, even that out-of-the-box content requires significant adjustments, but bringing it up to your organization’s standards is both faster and easier.

Compliance

For many companies, having an SIEM system is a regulatory requirement. Those who build an SIEM themselves or implement an OSS solution have to put in considerable effort to achieve compliance. They need to map their SIEM’s capabilities to regulatory requirements on their own — unlike the users of commercial systems, which often come with a built-in certification process and all the necessary tools for compliance.

Sometimes, management might want to implement an SIEM just to “tick a box”, aiming to minimize the expense. But since PCI DSS, GDPR, and other local regulatory frameworks focus on the actual breadth and depth of SIEM implementation — not just its mere existence — a token SIEM system implemented just for show would fail to pass any audit.

Compliance isn’t something you can consider only at the time of implementation. If, during self-managed maintenance and operation, any components of your solution stop receiving updates and reach end-of-life, your chances of passing a security audit would plummet.

Vendor lock-in vs. employee dependence

The second most important reason for organizations to consider an open-source solution has always been flexibility in adapting it to their specific needs, along with avoiding reliance on a software vendor’s development roadmap and licensing decisions.

Both of these are compelling arguments, and in large organizations they can sometimes outweigh other factors. However, it’s crucial to make this choice with a clear understanding of its pros and cons:

• OSS SIEMs can be simpler to adjust for unique data inputs.
• With an OSS SIEM, you maintain complete control over how data is stored and processed.
• The cost of scaling an OSS SIEM primarily consists of prices for additional hardware and the development of required features.
• Both the initial setup and ongoing evolution of an OSS SIEM demand seasoned professionals who are well-versed in both development practices and SOC realities. If the team members who best understand the system leave the company or change roles, the system’s evolution might come to a halt. What’s worse, it gradually becomes less functional.
• While the upfront implementation cost of an OSS SIEM might be lower due to the absence of license fees, this difference often erodes during the maintenance phase. This is because of the continuous, additional expense of qualified staff dedicated solely to SIEM development. Over the long term, the total cost of ownership (TCO) for an OSS SIEM often turns out to be higher.

Content quality

The relevance of detection and response content is a key factor in an SIEM’s effectiveness. For commercial solutions, updates to correlation rules, playbooks, and threat intelligence feeds are typically provided as part of a subscription. They’re developed by large teams of researchers, undergo thorough testing, and generally require minimal effort from your in-house security team to implement. With an OSS SIEM, you’re on your own when it comes to updates: you need to search community forums, GitHub repositories, and free feeds yourself. The rules then require detailed vetting and adaptation to your specific infrastructure, and the risk of false positives ends up being higher. As a result, implementing updates in an open-source SIEM demands significantly more effort from your internal team.

The elephant in the room: hardware

To launch an SIEM, you need to acquire or lease hardware, and depending on the system’s architecture, this expense can vary dramatically. It doesn’t really matter much whether the system is an open-source or proprietary commercial solution. However, when implementing an open-source SIEM on your own, there’s a greater risk of making sub-optimal architectural decisions. In the long run, this translates into persistently high operational costs.

We cover the topic of evaluating SIEM hardware needs in detail in a separate post.

The final tally

While the idea of a fully customizable and adaptable platform with zero licensing fees is highly appealing, there is a significant risk that such a project would demand far more time and effort from your internal development team than an off-the-shelf commercial solution. It may also hinder your ability to quickly adopt new innovations and shift your security team’s focus from developing detection logic and response scenarios to dealing primarily with operational issues. This is why a managed, expert-supported, and well-integrated commercial solution often aligns more closely with a typical organization’s goals of effective risk reduction and predictable budgeting.

Commercial SIEMs enable your team to leverage pre-built rules, playbooks, and telemetry parsers, allowing it to focus on organization-specific projects — such as threat hunting or improving visibility in cloud infrastructure — instead of reinventing and refining basic SIEM features, or struggling to pass regulatory audits with a homegrown system.

Kaspersky official blog – ​Read More

Scammers just can’t stop playing Santa: one day it’s free Telegram subscriptions; another it’s cryptocurrency. This new scam keeps things simple: they’re offering money right off the bat — or, more accurately, sharing a supposedly legal way for you to cash in.

The scammers created a two-minute video in which journ-AI-lists and a celebrity spin tall tales: “Everyone can get compensation. You just need to…” Read on to find out what the scammers are instructing their victims to do, and about the bait they’re using to lure unsuspecting folks into their trap.

The scammers’ modus operandi

This campaign saw scammers create phishing websites to host the video. You won’t find it on YouTube or any other video hosting site (for your safety, we won’t share it here either), because this kind of AI-generated content tends to be taken down in short order. It’s much harder to deal with scam websites — especially when links are distributed via email and messaging apps.

Now for the most interesting part: the video. It looks just like a brand-new Brazilian news segment, but there’s a twist. The news is completely fake — and was “shot” without the journalists’ permission. The scammers used a real news broadcast as the base, overlaying it with AI-generated voiceover and syncing the lip movements to match the new script. In it, AI-generated clones of real journalists weigh in on “violations” by one of the country’s leading banks.

• “Clients see their balances shrink for no reason — or even get wiped out entirely”
• “Accounts are being unjustly frozen”
• “Interest rates on loans are being inflated”

Part of the fake article created by AI for this scam

Once the stage is set, another AI clone takes over. Here, the scammers use the same approach as with the journalists: real video footage, AI-generated voiceover, and lip-syncing to match the new script. An AI-generated copy of a celebrity in Brazil delivers a fiery speech: “For months on end, the bank has repeatedly violated regulations, and now we’re taking decisive, uncompromising action. From this point forward, the bank will be allowed to operate in Brazil only if it pays compensation to every citizen, in the amounts specified.” And — what do you know? — bingo! Suddenly, every Brazilian is entitled to a one-time payout ranging from 1518 to 10 626 Brazilian reals (approximately US$250–2000).

Scam says court ruling guarantees compensation of up to R$10 000

Then the journalist clones return to the screen, supposedly showing a social media post from the bank that “confirms” the statement. But how do you actually cash in? Well, an AI-generated voiceover, set against a video tutorial, explains that all Brazilians need to visit a website “created by the tax authority and the bank”, enter their CPF (the Brazilian taxpayer ID), and calculate their personal compensation amount.

The setup is clear: as soon as the victim finishes watching the video, they’re funneled straight to a specially crafted phishing website, where a quick identity check awaits.

• “What’s your mother’s name?”
• “What’s your date of birth?”
• “You have an overdue insurance payment in the amount of…”

A barrage of questions, and even a voice message generated by AI — now that’s technology at work!

Answer all the questions correctly (not that it really matters — you can type whatever you like), and you’re through to the final stage. You’re told the transaction is practically on its way and the money is about to hit your account, but there’s a snag. You’re required to pay three taxes: a road tax, a transfer tax, and a receipt tax, totaling just 55 Brazilian reals (around $10) — a mere pittance compared to the promised windfall of 7854 reals (roughly $1400). Next, the site asks you to enter your bank card details, confirm your CPF once again, and provide your name, email, and phone number before making the payment. And when those “taxes” are paid… absolutely nothing happens! The money and personal information will go straight to the scammers — and, of course, no one will ever see a payout.

Protecting yourself against payout scams

This scam targets Brazilian residents, but it could easily be adapted to other languages, themes, and continents. By tomorrow, you can bet the scammers will have cooked up a brand-new pretext: government fitness reimbursements, free food, a gas-bill refund, or something else entirely. That’s why it’s crucial to recognize the pattern: there’s always enticing bait (think free giveaways of something valuable), a phishing website, and a fake news report to seal the deal. But how can you spot the catch in videos like these?

• Watch the lips. Then you can spot the AI-generated journalist clones not always opening their mouths correctly. AI still struggles to perfectly sync lip movements with the audio track.
• Watch the facial expressions. Sure, these “news” videos might look convincing in a still frame, but if you look closely at AI-generated footage, you’ll notice how the speaker’s face can suddenly shift or change in unnatural ways.
• Inspect the background and lighting. If the “journalist” is standing in the middle of a field or some other empty space with blurry edges, or the lighting just looks off, chances are you’re looking at an AI creation.

But there’s more!…

Be sure to read Watch the (verified) birdie, or new ways to recognize fakes. In that post, we provide detailed guidance on telling real photos from fakes. If you’re worried that you or your loved ones might accidentally end up on a scam website, install Kaspersky Premium. It automatically blocks access to suspicious links from chat apps and email to keep you safe from phishing. That way, if there’s ever a threat, you won’t even have to worry about spotting fake news yourself.

Remember: following basic safety tips is one of the best ways to steer clear of scammers:

• Avoid entering personal and payment details on suspicious websites. If they’re asking for your date of birth, email, bank details, taxpayer ID, and… which doormat you keep your spare key under, chances are you’re dealing with scammers.
• Just a reminder: there’s no such thing as a free lunch. Be suspicious if someone promises you the world for nothing — even if it seems to be coming from a government official in a video. In fact, be even more cautious if it’s a government official speaking on camera!
• If you have to pay to claim your prize, it’s probably a scam. That’s a classic scammer’s trick: they promise you a huge payout, but only if you pay “a fee”, “tax”, or “shipping” first.
• Avoid clicking suspicious links. As a rule of thumb, consider any link sent to you by strangers to be suspicious by default. But remember, even friends can end up sending scam links — sometimes without even realizing it.

What else are scammers up to?

• SIMulated giveaway on Instagram: the prize is your account!
• You’ve been sent a “gift” — a Telegram Premium subscription
• It’s a gas: how online scammers dupe “investors”
• You found a seed phrase from someone else’s cryptowallet: what could go wrong?
• How to sell your TV without losing your shirt (and banking data)

Kaspersky official blog – ​Read More

Government institutions worldwide face a growing number of sophisticated cyberattacks. This case study examines how ANY.RUN’s solutions can be leveraged to detect, analyze, and mitigate cyber threats targeting government organizations. 

By analyzing real-world threats, we demonstrate how ANY.RUN’s Threat Intelligence Lookup, Interactive Sandbox, and YARA Search assist cybersecurity teams in identifying attack vectors, tracking malicious activities, and enhancing organizational resilience. 

Case Studies 

We will explore several attack scenarios where adversaries impersonate government structures to gain initial access:  

• A phishing email sent to the Department of Employment and Workforce (a U.S. government agency responsible for helping with employment and paying unemployment insurance benefits). 

• A domain imitating the official website of the U.S. Social Security Administration. 

• A malicious PDF disguised as a court notice from the South African Judiciary. 

1. Phishing Email Targeting South Carolina Department of Employment and Workforce 

Let’s take up the role of a cybersecurity officer at the department and try to understand who is targeting the organization, what malware is used, and what delivery methods are applied.  
 
A YARA rule is created to search emails with recipients from the domain dew.sc.gov analyzed in ANY.RUN sandbox. It identified 33 files and their analyses featuring email addresses on dew.sc.gov.

These results help to better understand threats targeting the agency:  

• Study subject lines, attachment types, and delivery methods. 

• Identify malware and tools used for attacks. 

• Collect artifacts (hashes, URLs, IPs) for filtering and monitoring. 

• Detect recurring techniques to improve protection. 

Let’s view one of the sandbox analyses linked to the detected files:  
 
In April 2025, a phishing email was uploaded to ANY.RUN, targeting an employee at the South Carolina DEW. The email, sent from @163.com domain, contained a malicious ZIP attachment named “Quotation.zip” (658 KB).  

We can run a separate analysis of the email in the Sandbox. First of all, header analysis shows that the email failed SPF, DKIM, and DMARC checks — the IP address wasn’t authorized for sending from 163.com, and no DKIM signature was present.

The IP can be used as an IOC and subjected to reputation checks. 

The email attachment that includes an executable file, “Quotation.exe”, has been flagged as a stealer by ANY.RUN’s signatures even before execution. The malware was identified as FormBook, with behaviors mapped to MITRE ATT&CK techniques T1552.001 (Credentials in Files) and T1518 (Software Discovery). The execution chain is visualized in the Graph section:  

Network traffic analysis confirmed FormBook activity through Suricata rules detecting characteristic HTTP headers. 

How to Find Similar Emails via ANY.RUN 

And now let us scale up to exploring the landscape of similar attacks, the patterns they follow, and to understanding the urgency of such threats for government agencies in the USA. A TI Lookup search was run for FormBook samples uploaded for sandbox analysis by users from the USA and delivered to them by email opened via Outlook:  
 
threatName:”FormBook” and submissionCountry:”US” and commandLine:”outlook.exe” 

12 sandbox analysis sessions were found — each containing unique indicators like hashes, IPs, C2 calls, and email content. This data can be used for deriving context and tracking repetitive techniques. 

Broader analysis is available using YARA Search for .gov email recipients in 2025 to identify malicious activity targeting US state agencies:  

Not all the found letters are malicious, but many reflect current phishing tactics recruited against government bodies.  

Custom YARA rules can be adjusted for relevance: change conditions, add filters, and thus create a selection of emails relevant to an organization’s threat profile. 

2. Fraudulent Domain Mimicking the U.S. Social Security Administration 

Next, we simulate the role of a SOC analyst at the U.S. SSA and research phishing domains that impersonate our entrusted agency. How do the documents these domains host look and feel, what payloads they disseminate, and what tactics and methods adversaries use?  

Via TI Lookup, we search for domains flagged as malicious and containing ssagov. 

domainName:”ssagov” and threatLevel:”malicious” 

The search returned 22 sandbox analyses, with 7 unique potentially malicious domains. This indicates attackers actively spoof SSA for phishing. Exploring these campaigns allows SOC teams to gather indicators, set up detection systems, and enhance triage and response.  

For example, an Interactive Sandbox analysis session from May 2025 spotted a malicious domain documentssagov[.]com that mimics SSA’s website and prompts users to download a “document”. Typical social engineering tactics are engaged — urgency, fake branding, and download prompts. 

Instead of a document, an executable SSA_Document.exe is downloaded. On execution, the ScreenConnect remote administration tool is deployed — indicating an attempt to gain remote access. This activity has been detected via Suricata and mapped to MITRE ATT&CK matrix.

How to Find Similar Domains via ANY.RUN 

Besides researching threats targeting a specific agency, we can uncover a domain-based tactic that involves spoofing a government agency sector.   

We aim to identify which phishing domains are being used by malicious actors, how actively they are being exploited, and what techniques are employed to deliver malicious payloads — while also enriching our detection systems with new indicators. 

Suppose we are interested in current attacks targeting ministries of foreign affairs. Let’s try to find potentially malicious domains that imitate the official websites of such organizations. Typically, these sites contain the abbreviation “mofa” (Ministry of Foreign Affairs) in their domain names. 

domainName:”*mofa*” AND threatLevel:”malicious” 

This TI Lookup search reveals 12 potentially malicious domains and 22 related analyses. Each analysis session contains IOCs, TTPs, domain interaction patterns, and data on malware distribution vectors. Such insights help understand phishing strategies, delivery mechanisms, and enrich detection systems with new indicators. 

3. Malicious PDF Posing as a South African Judiciary Notice 

Finally, let’s put on the hat of a South African Judiciary body employee and imagine having received an email with a PDF document disguised as an urgent judicial notice. We upload the file to ANY.RUN’s Interactive Sandbox and perform an analysis.  
 
The document mimics a court summons allegedly sent to a company, urging the recipient to immediately review the case materials. A button labeled “PREVIEW YOUR SUMMON DOCUMENT HERE” leads to an external link likely hosting a malicious payload. 

This is a classic example of social engineering, designed to create a sense of urgency and official pressure. The use of visual elements typical of government notifications increases the chances of recipient engagement. Such PDF files are often used to deliver and execute malicious code or as a trigger to redirect users to phishing sites. 

Upon opening the PDF, ANY.RUN flags the file as potentially phishing-related. It detects telltale signs, such as wording commonly used in phishing campaigns and embedded links. Quickly it becomes clear that the file is unsafe and likely part of an attack. 

Clicking the “PREVIEW YOUR SUMMON DOCUMENT HERE” button redirects the user to FloppyShare, from which a file named “SUMMON COURT DEMAND DOCUMENT.html” is automatically downloaded. When opened, this HTML document displays a fake Microsoft Office 365 Mail login form, prompting the victim to enter their credentials. 

This tactic is typical of credential-harvesting phishing attacks. The form visually mimics Microsoft’s authentication page, increasing the likelihood that victims will input their login details. 

How to Find Similar Documents via ANY.RUN 

One effective approach is to extract embedded images from the PDF and search for their hashes in the ANY.RUN database. This helps identify similar samples, recurring templates, and visual elements used by attackers in social engineering campaigns. By doing so, we gain deeper insight into their tactics and uncover related malicious content. 

Let’s take the hash of one of the PDF’s embedded images and perform a search via TI Lookup with a simple query:  
 
sha256:”dfbbc198e7cb36ca31a5cb9dfd859955c4366b94f4a87c2a03102d60168eb74d” 

The results reveal 18 analyses featuring various PDF variants and payload delivery methods. Attackers disguise malicious pages as legitimate services and use different hosting platforms. 

The data from the samples can serve as indicators of compromise (IOCs) for malicious activity targeting a specific company or sector of interest. 

Summary on the Cases 

ANY.RUN’s capabilities enabled rapid threat detection and analysis: 

• TI Lookup: Provides detailed threat intelligence, including domain and IP reputation. 

• YARA Search: Identifies targeted phishing campaigns by filtering emails with specific recipient domains, yielding actionable IOCs and samples. 

• Sandbox Analysis: Executes malicious files to observe behaviors, map MITRE ATT&CK techniques, and detect network-based threats using Suricata rules. 

The ability of these solutions to scale analysis and correlate threats across multiple incidents helps to build a comprehensive attack profile, critical for government cybersecurity strategies. 

Recommendations for Decision-Makers 

For government cybersecurity leaders, we recommend to: 

1. Adopt proactive threat hunting: Use ANY.RUN’s YARA Search to monitor emails and files targeting agency domains, enabling early detection of phishing and malware campaigns. 

2. Leverage real-time analysis: Employ ANY.RUN’s Interactive Sandbox to analyze suspicious attachments and URLs, ensuring rapid identification of threats.  

3. Use threat intelligence: Utilize TI Lookup to gather IOCs to block malicious IPs, domains, and URLs across agency networks.  

4. Empower staff with phishing awareness: Educate employees on recognizing spoofed domains and suspicious attachments, using insights from ANY.RUN analyses.  

5. Integrate with existing systems: Incorporate ANY.RUN’s TI Feeds to automate threat detection. 

By providing real-time analysis, scalable threat hunting, and actionable intelligence, ANY.RUN empowers cybersecurity teams to protect critical infrastructure effectively. Implementing these recommendations will strengthen defenses, reduce response times, and mitigate risks posed by targeted cyber threats. 

Get a 14-day trial of ANY.RUN’s solutions and see how much faster and deeper your threat investigations can be. 

The post Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN for Fast Response appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More