November was a packed month for detection coverage. We rolled out new behavioral insights, broadened our visibility across multiple threat families, and strengthened rulesets at every layer. On top of that, our analysts uncovered and documented a new phishing wave targeting Italian organizations through malicious PDF attachments, now fully mapped in a dedicated TI report. 

Let’s walk through the full set of improvements we delivered this month. 

Threat Intelligence Reports 

In November, we published several new TI Reports covering threats that are currently targeting companies around the world. The four of them are open to everyone: 

• RoningLoader, HoldingHands, Snowlight: APT-Q-27 loader chain, stealthy RAT, and Linux VShell dropper enabling cross-platform compromise of enterprise and server environments. 

• PDFChampions, Efimer, BTMOB: Malvertising-based browser hijacker, Tor-hosted cryptocurrency stealer, and Android MaaS trojan abusing Accessibility to drain banking, fintech, and wallet applications. 

• Monkey, Phoenix, NonEuclid: AI-generated Linux ransomware, espionage-focused backdoor, and dual-use RAT–ransomware illustrating convergence of state-aligned techniques and financially motivated crimeware. 

• Valkyrie, Sfuzuan, Sorvepotel: Windows stealer MaaS, adaptable backdoor, and WhatsApp-propagating campaign weaponizing social trust and messaging channels for large-scale infection. 

We also wrote an extensive report exclusively for the TI Lookup Premium subscribers. It goes in-depth on a phishing campaign aimed specifically at Italian organizations across transportation, tourism, telecom, IT, and government sectors. The activity relies on PDF attachments disguised as official documents, each redirecting victims to counterfeit Microsoft login pages built to harvest corporate credentials. 

The report outlines: 

• A consistent lure pattern using Italian-language prompts inviting recipients to “review” or “sign” a document 

• PDF filenames following a shared template: Allegato_Ufficiale_<variable>.pdf 

• Brand impersonation, including well-known Italian companies, to raise credibility 

• Redirect chains leveraging both compromised domains and attacker-controlled infrastructure (e.g., phebeschool.org, mircosotfonilne.ru, vorn.revolucionww.com) 

• Browser fingerprinting behavior tied to data collection on victim systems 

• Email templates localized in Italian, with urgent subject lines pushing immediate action 

We also included ready-to-use TI Lookup queries so analysts can surface related samples quickly, track the filename cluster, and follow the network infrastructure across recent public analysis sessions. 

Behavior Signatures 

In November, we expanded the malicious behavior coverage of ANY.RUN’s Interactive Sandbox with 52 new signatures across ransomware families, loaders, post-exploitation tools, and suspicious PowerShell activity. These additions help analysts surface malicious behavior earlier, reduce repeated checks, and speed up root-cause discovery. 

Here are the latest signatures added: 

• JSGuldr 

• LockerGoga 

• UDPGangster 

• WastedLocker 

• RoningLoader 

• PureHVNC mutex 

• AURA 

• Possible Kerberos ticket injection (PowerShell) 

• CVE-2025-6218 

• Compromised SteamCleaner 

• LockerGoga 

• UDPGangster 

• PowerShell memory allocation 

• Possible path obfuscation (PowerShell) 

• NetworkMiner 

• Intercepter-NG 

• Snowlight 

• RawCap 

• PDFChampions mutex 

YARA Rules 

We added 9 YARA rules in November to improve early detection of ransomware, RAT families, and network-proxy tooling. These rules help analysts flag suspicious samples even before execution, making triage faster and more reliable. 

• Pulsar 

• Noneuclid 

• GhostSocks 

• Qilin 

Suricata Rules 

In November, we added 2,184 new Suricata rules, strengthening network-level detection for RAT traffic, stealer activity, and modern phishing techniques. These additions expand coverage for TLS fingerprinting and browser-based deception tactics. 

• GravityRAT JA3 (sid:84000202): Identifies GravityRAT network activity by previously unlisted JA3 TLS fingerprint. 

• SalatStealer JA3 (sid:84000205): Identifies SalatStealer network activity by previously unlisted JA3 TLS fingerprint. 

• Browser-in-the-Browser phishing attack (sid:85005418): Detects a phishing technique that simulates new browser window with legitimate domain within the actual browser window. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, is used by more than 500,000 analysts across 15,000 organizations worldwide. The service helps teams investigate threats in real time, follow full execution chains, and surface critical behavior within seconds. 

Analysts can detonate samples, interact with them as they run, and immediately pivot into network traces, file system changes, registry activity, and memory artifacts. With continuously updated detection coverage, including new behavioralsignatures, YARA rules, Suricata rules, and TI insights, teams get faster answers and clearer visibility with less manual effort. 

Whether you’re running day-to-day investigations, handling escalations, or tracking emerging campaigns, ANY.RUN gives SOC teams, DFIR analysts, MSSPs, and researchers a practical way to reduce uncertainty and make decisions with confidence. 

Start your 14-day trial of ANY.RUN today →         

The post Threat Coverage Digest: New Malware Reports and 5K+ Detection Rules  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Dashcams, popular in some countries and while illegal in others, are typically seen as insurance in case of an accident or roadside dispute. But a team of Singaporean cybersecurity researchers have a different take. They see offline (!) dashcams as a suitable foundation for… a mass surveillance system — moreover, one that can broaden automatically. They presented the details of their research at the Security Analyst Summit 2025.

The espionage potential of a dashcam

So, how can offline device be used for surveillance? Well, though it’s true that most dashcams aren’t equipped with a SIM card or 4G/5G connectivity — even inexpensive models have Wi-Fi. This allows the driver’s phone to connect to the device through a mobile app to adjust settings, download videos, and for other purposes. And as it turns out, many dashcams allow authentication to be bypassed, meaning a malicious actor can connect to them from their own device and then download the stored data.

An attacker has a lot to gain from this. First, there’s the high-resolution video, which clearly shows license plates and road signs. Some dashcam models also record the car’s interior, and others feature wide-angle lenses and/or rear-facing cameras. Second, dashcams can record audio — primarily conversations — inside the vehicle. Third, these video and audio recordings are tagged with precise timestamps and GPS tags.

Therefore, by downloading data from a dashcam, someone could track the owner’s movements, obtain images of the locations where they drive and park, find out what they talk about in the car, and often get photos and videos of the vehicle’s passengers or people near the car. Naturally, for targeted surveillance, a hacker would need to compromise a specific dashcam, while for mass surveillance, they’d need to compromise a large number of devices.

Attack vectors for dashcams

The researchers began their experiments with a popular Thinkware dashcam, but quickly widenend the scope of the study to include two dozen models from 15 or so different brands.

They discovered many similarities in how the different devices operate. The initial connection is typically made to a Wi-Fi access point created by the dashcam itself, using the default SSID and password from the manual.

Most of the models tested by the researchers had a hardcoded password, allowing an attacker to establish a connection with them. Once connected, a hacker gains access to a familiar setup found in other IoT gadgets: an ARM processor and a lightweight Linux build. The attacker then has a whole arsenal of proven tricks to choose from to bypass the manufacturer’s authentication — designed to distinguish the owner from an unauthorized user. At least one of these methods typically works:

• Direct file access. While the minuscule web server in the dashcam waits for a client to send a password at the official entry point, malicious requests for direct video downloads often go through without a password check
• MAC address spoofing. Many dashcams verify the owner’s identity by checking the unique MAC address of their smartphone’s Wi-Fi adapter. The attacker can first intercept this address over the airwaves, and then spoof it in their own requests, which is often enough to establish a connection
• Replay attack. By simply recording the entire Wi-Fi data exchange between the dashcam and the owner’s smartphone during a legitimate connection, an attacker can later replay this recording to gain the needed permissions

Most online services have been protected against these types of attacks for years if not decades. However, these classic vulnerabilities from the past are still frequently discovered in embedded devices.

To allow users to quickly review recorded files on their phone screen, or even watch a live feed from the camera, dashcams typically run several servers similar to those used on the internet. An FTP server enables quick file downloads, while an RTSP server streams live video, and so on. In theory, these servers have their own password-based security to protect them from unauthorized access. In practice, they often use a default, hardcoded password that’s identical for every unit of that model — a password that can be easily extracted from the manufacturer’s mobile app.

The one-hack-fits-all situation

Why are researchers convinced that these devices can be hacked on a massive scale? Due to two key factors:

• Just a few popular dashcam models account for the lion’s share of the market. For instance, in Singapore, nearly half of all dashcams sold are from the brand IMAKE
• Different models, sometimes from different brands, have very similar hardware and software architecture. This is because these dashcam manufacturers source their components and firmware from the same developer

As a result, a single piece of malicious code designed to try a few dozen passwords and three or four different attack methods could successfully compromise roughly a quarter of all dashcams in a real-world urban environment.

In the initial version of the attack, the researchers modeled a semi-stationary scenario. In this setup, an attacker with a laptop would be located at a place where cars stop for a few minutes, such as a gas station or a drive-through. However, further research led them to a more alarming conclusion: everything needed for the attack could be run directly on the dashcam itself! They managed to write code that operates like a computer worm: an infected dashcam attempts to connect to and compromise the dashcams in nearby cars while on the move. This is feasible when vehicles travel at similar speeds, for instance in heavy traffic.

From mass compromise to mass surveillance

The authors of the study didn’t stop at just proving that the hack was possible; they developed a complete system for harvesting and analyzing data. The data from compromised dashcams can be harvested to one central location in two ways: by sending the data directly to the attackers’ computer located at, say, a gas station, or by exploiting the built-in cloud-enabled features of some dashcams.

Some dashcam models are equipped with an LTE module, allowing the malicious code to send data directly to the botnet owner. But there’s also an option for simpler models. For example, a dashcam can have functionality to upload data to a smartphone for syncing it to the vendor cloud, or the compromised device can forward the data to other dashcams, which then relay it to the attacker.

Sometimes, inadequate cloud storage security allows data to be extracted directly — especially if the attacker knows the user identifiers stored within the camera.

The attacker can combine several methods to analyze the harvested data:

• Extracting GPS metadata from photos and videos
• Analyzing video footage to detect road signs and recognize text — identifying specific streets and landmarks
• Using a Shazam-like service to identify music playing in the car
• Leveraging OpenAI models to transcribe audio and generate a concise summary of all conversations inside the vehicle

The result is a brief, informative summary of every trip: the route, travel time, and topics that were discussed. At first glance, the value of this data seems limited because it’s anonymous. In reality, de-anonymization isn’t a problem. Sometimes the owner’s name or license plate number is explicitly listed in the camera’s settings. Furthermore, by analyzing the combination of frequently visited locations (like home and work), it’s relatively straightforward to identify the dashcam owner.

Conclusions and defense strategies

The recent revelations about the partnership between Flock and Nexar underscore how dashcams could indeed become a valuable link in a global surveillance and video monitoring system. Flock operates the largest network of automated license plate reader cameras for police in the United States, while Nexar runs a popular network of cloud-connected dashcams designed to create a “crowdsourced vision” of the roads.

However, the mass hacking of dashcams could lead to a much more aggressive and malicious data-harvesting effort, with information being abused for criminal and fraudulent schemes. Countering this threat is primarily the responsibility of vendors, which need to adopt secure development practices (Security by Design), implement robust cryptography, and employ other technical controls. For drivers, self-defense options are limited, and heavily dependent on the specific features of their dashcam model. We list them below in order of the most to least radical:

• Purchase a model without LTE, Wi-Fi and Bluetooth capabilities. This is the most secure option
• Completely disable Wi-Fi, Bluetooth, and other communication features on the dashcam
• Disable audio recording and, ideally, physically disable the microphone if possible
• Turn off parking mode. This feature keeps the dashcam active at all times to record incidents while the car is parked. However, it drains the car’s battery and, very likely, keeps the Wi-Fi on — significantly increasing the risk of a hack
• Check the available Wi-Fi settings on the dashcam:
  • If there’s an auto-shutoff for Wi-Fi after a certain period, set it to the shortest time possible
  • If you can change the default Wi-Fi password or network name (SSID), be sure to do so
  • If there’s an option to hide the network name (often referred to as Hidden SSID, Wi-Fi Broadcast Off, or Stealth Mode), enable it
• Regularly update your dashcam firmware and its paired smartphone app. This increases the chances that vulnerabilities — like those described in this article — will be patched when you install a newer version.

Modern cars are susceptible to other types of cyberattacks too:

• Highway to… hacked: cyberthreats to connected cars
• Car hacking via Bluetooth
• How millions of Kia cars could be tracked
• I know how you drove last summer
• Spies on wheels: how carmakers collect and then resell information

Kaspersky official blog – ​Read More

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr’ouvert Lasso, and one vulnerability in GL.iNet Slate AX.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Dell vulnerabilities

Discovered by Philippe Laulheret of Cisco Talos.

The Dell ControlVault is a hardware-based security solution designed for user authentication functions. Talos reported five vulnerabilities, as follows:

• TALOS-2025-2173 (CVE-2025-31649) is a hard-coded password vulnerability. A specially crafted ControlVault API call can lead to an execution of privileged operation.
• TALOS-2025-2174 (CVE-2025-31361) is a privilege escalation vulnerability. A specially crafted WinBioControlUnit API call can lead to privilege escalation.
• TALOS-2025-2175 (CVE-2025-36460-CVE-2025-36463) covers multiple out-of-bounds read and write vulnerabilities. A specially crafted WinBioControlUnit API call can lead to memory corruption.
• TALOS-2025-2188 (CVE-2025-32089) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to an arbitrary code execution.
• TALOS-2025-2189 (CVE-2025-36553) is a buffer overflow vulnerability. A specially crafted ControlVault API call can lead to memory corruption.

Entr’ouvert Lasso vulnerabilities

Discovered by Keane O’Kelley and another member of Cisco Advanced Security Initiative Group.

Lasso is a free (GNU General Public License) C library that defines processes for federated identities, single sign-on, and related protocols.

TALOS-2025-2193 (CVE-2025-47151) is a type confusion vulnerability, where a specially crafted SAML response can lead to an arbitrary code execution.

TALOS-2025-2194 (CVE-2025-46404), TALOS-2025-2195 (CVE-2025-46784), and TALOS-2025-2196 (CVE-2025-46705) are denial of service vulnerabilities. Specially crafted SAML responses can lead to a denial of service in all three cases.

GL.iNet Slate AX vulnerability

Discovered by Lilith >_> of Cisco Talos.

Slate AX (GL-AXT1800) is a Wi-Fi 6GB travel router. Cisco Talos discovered a firmware downgrade vulnerability, TALOS-2025-2230 (CVE-2025-44018), in the OTA Update functionality. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Cisco Talos Blog – ​Read More

Stealers, loaders, and targeted campaigns dominated November’s activity. ANY.RUN analysts examined cases ranging from PNG-based in-memory loading used to deploy XWorm to JSGuLdr, a three-stage JavaScript-to-PowerShell loader pushing PhantomStealer. 

Alongside these public cases, three Threat Intelligence Reports detailed new activity across Windows, Linux, and Android, including loader-enabled hijackers, Tor-based cryptotrojan communication, Linux ransomware in Go, MaaS stealers, and a WhatsApp-propagating campaign with geofencing controls. 

Each case was analyzed inside ANY.RUN’s Interactive Sandbox, revealing execution flows, persistence mechanisms, and behavioral indicators that help teams tune detections and trace related activity. 

Let’s break down how these attacks unfolded, where they hit, and what security teams can take away to strengthen their defenses before the next wave arrives. 

1. XWorm: PNG Files Used as Containers for an In-Memory Loader 

Post on X 

ANY.RUN analysts observed a new wave of XWorm infections in November, delivered through phishing pages and emails that distribute a JavaScript dropper named PurchaseOrder_25005092.js. While it appears benign at first glance, the script unpacks a full multi-stage chain designed to bypass quick checks, hide payloads inside PNG files, and execute a .NET assembly directly in memory. 

How the attack begins 

The campaign begins with a phishing lure (T1566.001) delivering a heavily obfuscated JavaScript installer (T1027). Once executed, the script checks whether the required components exist on the system and writes the missing files to C:UsersPUBLIC using Base64-encoded and AES-encrypted data (T1027.013). The staged components are later used during the PowerShell-driven decryption and in-memory execution stages. 

The three staged files are: 

• Kile.cmd: A heavily obfuscated batch script filled with variable noise, percent-encoding, and fragmented Base64 

• Vile.png: Not an image but a Base64-encoded and AES-encrypted payload 

• Mands.png: Another encrypted data blob used during the second stage 

Attackers deliberately use the “.png” extension (T1036.008) to make the files look harmless and evade quick manual reviews. 

In-memory execution chain 

After writing the staged components to C:UsersPUBLIC, the JavaScript dropper reconstructs readable commands from its fragments and launches a PowerShell payload (T1059). This PowerShell script operates as a two-stage AES-CBC loader. 

Stage 1: Command runner 

Reads C:UsersPUBLICMands.png as Base64 → AES-decrypt → yields Base64-encoded commands. Each command is decoded and executed via Invoke-Expression, enabling the script to run attacker-controlled instructions without a traditional executable. 

Stage 2: In-memory assembly load 

Reads C:UsersPUBLICVile.png as Base64 → AES-decrypt → raw bytes. Loader attempts to execute the resulting .NET assembly directly from memory (T1620). 

This creates an in-memory loader that launches XWorm without dropping a traditional executable. A successful compromise enables credential theft, remote control, and lateral movement across corporate environments. 

See the full execution inside ANY.RUN 

Enrich this case using Threat Intelligence Lookup 

Below are ready-to-use TI Lookup queries for finding similar campaigns: 

• PowerShell with .Replace() obfuscation: imagePath:”\powershell.exe$” AND commandLine:”.Replace(“ 

• PowerShell invoking IEX: imagePath:”\powershell.exe$” AND commandLine:”iex” 

• JavaScript droppers writing to PublicLibraries: filePath:”^C:\Users\Public\Libraries\*.js$” 

2. JSGuLdr: Multi-Stage Loader Delivering PhantomStealer 

Post on X 

In November, ANY.RUN analysts identified JSGuLdr, a multi-stage loader that moves from JScript to PowerShell and ultimately deploys PhantomStealer. The chain relies on obfuscation, COM-based execution, cloud-hosted payloads, and in-memory loading, allowing the final payload to run with limited on-disk exposure. 

Stage 1: JScript Execution and COM-Based PowerShell Launch 

The first stage is an obfuscated JScript file signed with a fake Authenticode certificate to appear trustworthy (T1027, T1553.006). It generates an encrypted PowerShell string and writes it to %APPDATA%Registreri62, forming the second-stage component. 

Execution then shifts to Shell.Application and Explorer COM interaction, which launches powershell.exe under explorer.exe, masking the activity as normal user behavior (T1559.001, T1218). 

Stage 2: PowerShell Loader, Cloud Retrieval, and In-Memory Execution 

The PowerShell code decodes the contents of Registreri62, reconstructs hidden commands, and downloads an encrypted payload from Google Drive using a WebClient request (T1105). This payload is stored as %APPDATA%Autorise131.Tel, used as the on-disk container for the next stage (T1074.001). 

Stage 3: In-Memory Loading and PhantomStealer Injection 

PowerShell decrypts Autorise131.Tel, extracts raw bytes, and loads the resulting .NET assembly directly in memory (T1620). The final payload, PhantomStealer, is then injected into msiexec.exe, allowing it to run under a trusted Windows process and steal data without creating a conventional executable on disk (T1055, T1218.007). 

Execution chain: wscript.exe → explorer.exe → explorer.exe (COM) → powershell.exe → msiexec.exe 

Review the complete execution chain and behavioral indicators in the JSGuLdr analysis session.  

Track similar activity with TI Lookup 

Use the following TI Lookup query to identify related JSGuLdr activity, pivot from shared IOCs, and uncover additional loader variants across recent submissions. 

commandLine:”windowssystem32″ and imagePath:”explorer.exe” 

Gathered IOCs: 

• URL: hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd  

• Files: %APPDATA%Registreri62, %APPDATA%Autorise131[.]Tel  

• CMD: powershell.exe “$Citize=$env:appdata+’Registreri62′;$Guazuma=gc $Citize;$Aristape=$Guazuma[4460..4462] -join ”” 

Threat Intelligence Report 1: PDFChampions, Efimer, and BTMOB 

Full analysis in TI Report  

This Threat Brief provides a focused breakdown of three active threats, including how each sample behaves in the sandbox, its persistence and execution patterns, and the key detection points analysts can rely on. The report includes details about process activity, file system changes, network behavior, and extracted indicators, along with TI Lookup queries tailored to each malware family; PDFChampions’ mutex-based signature, Efimer’s Tor-based curl command, and BTMOB’s Android configuration file. 

PDFChampions (Windows) 

A browser hijacker distributed via malvertising that also acts as a loader. It changes the default search engine, terminates competing browsers, and can download and run additional payloads directly in memory.

Detection note: identify activity via the mutex “Champion.”

TI Lookup: syncObjectName:”Champion” 

Efimer (Windows) 

A cryptocurrency-focused trojan spread through phishing and compromised WordPress sites. It steals wallets and credentials and uses curl.exe to reach a Tor-hidden C2 endpoint (.onion/route.php). 
Detection note: monitor curl connections to .onion/route.php. 
TI Lookup: commandLine:”curl.exe*.onion/route.php” 

BTMOB RAT (Android) 

An Android RAT sold as MaaS. It abuses Accessibility Services for full device control, records screen and audio, and targets financial apps. Distributed through phishing APKs.

Detection note: presence of BTConfig.xml in the app’s shared preferences.

TI Lookup: filePath:”/data/data/*/shared_prefs/BTConfig.xml” 

Threat Intelligence Report 2: Monkey, Phoenix, and NonEuclid 

Full analysis in TI Report 

This month’s Threat Brief examines three threats in detail, with execution-flow screenshots, detection indicators, persistence artifacts, and public-sample telemetry. The report also provides ready-to-use TI Lookup queries and IOCs so teams can expand visibility and identify similar cases in their environments. 

Monkey (Linux) 

Monkey is a Go-based x64 ELF ransomware that disables security controls, establishes persistence through cron, rc.local, and systemd, collects system information, and encrypts files with a .monkeyRansomware extension. It also drops a ransom note and changes the system wallpaper.

Detection note: creation of /etc/systemd/system/monkey.service.

Lookup: filePath:”/etc/systemd/system/monkey.service” 

Phoenix (Windows) 

Phoenix is a Windows backdoor delivered as a second-stage payload in targeted email campaigns. It creates a mutex, copies itself for persistence, gathers system information, and communicates with its C2 via WinHTTP. The malware also uses process injection during execution.

Detection note: dropped binary sysProcUpdate.exe used for injection.

Lookup: registryValue:”sysProcUpdate.exe” 

NonEuclid (Windows) 

NonEuclid is a C# RAT with persistence, AMSI and Defender bypass, anti-VM checks, UAC bypass, and optional AES-based file encryption using the .NonEuclid extension. Sold as a crimeware kit, it combines remote control features with ransomware capabilities and uses obfuscated strings and NTSTATUS codes that can be detected via a dedicated YARA rule. 
Detection note: YARA detection based on obfuscated Unicode strings and NTSTATUS markers. 

Threat Intelligence Report 3: Valkyrie, Sfuzuan, and Sorvepotel 

Full analysis in TI Report 

This Threat Brief examines three Windows-based threats with different infection vectors and persistence patterns. The report includes sandbox screenshots, process activity, on-disk artifacts, and TI Lookup queries for tracking related behavior across public submissions. 

Valkyrie (Windows) 

Valkyrie is a credential-stealing MaaS platform linked to Prysmax. It collects browser and system data, stores temporary output in Valkyrie.zip under the Temp directory, and exfiltrates the archive to a remote C2. Detection is possible through the Temp-path signature or a dedicated YARA rule included in the report.

TI Lookup: filePath:”C:\Users\admin\AppData\Local\Temp\Valkyrie.zip” 

Sfuzuan (Windows) 

Sfuzuan is a backdoor distributed through multiple, unrelated sources. It bypasses system protections to gain access, gathers system and location details, and connects to a set of rotating command-and-control domains. The malware drops a distinctive TXT file that serves as a reliable detection point.

TI Lookup: filePath:”C:\Windows\864ac8″ 

Sorvepotel (Windows) 

Sorvepotel is a self-propagating campaign spread through WhatsApp messages containing malicious ZIP archives. After launch, it uses PowerShell and VBS scripts for execution and persistence, creates scheduled tasks, and automatically sends the same archive to all WhatsApp Web contacts. The campaign targets Portugal and Brazil using geofencing based on IP and system language.

TI Lookup: filePath:”Orcamento-2025*” 

Empower Your SOC with Real-Time Behavioral Insights 

Multi-stage loaders, encrypted payload containers, and region-aware campaigns are getting harder to catch with static filtering alone. While these threats unfold across PowerShell chains, COM-triggered executions, Linux services, or Android components, attackers move quickly, and manual triage can’t keep up. ANY.RUNgives SOC teams the behavioral visibility they need to respond at the speed of modern attacks. 

Here’s how teams stay ahead: 

• Surface hidden execution paths immediately: Detonate loaders, encrypted payloads, and cloud-hosted components inside a live VM and watch each stage, JavaScript, PowerShell, .NET, Linux services, or APK behavior, as it unfolds. 

• Shorten investigation time: Automated unpacking, network tracing, and live indicators turn multi-stage chains into readable timelines, reducing time spent reversing obfuscated scripts or in-memory loaders. 

• Catch stealthy techniques earlier: From fileless PowerShell commands to COM-based execution and WhatsApp-triggered propagation, behavioral cues expose activity that traditional tools overlook. 

• Strengthen detections with instant enrichment: Use Threat Intelligence Lookup to pivot from a single IOC, file path, mutex, command line, or domain, to related submissions and shared TTPs across hundreds of cases. 

• Feed continuous intelligence into your stack: Integrate Threat Intelligence Feeds with your SIEM, SOAR, or XDR to keep detections updated as new loader variants, stealer kits, and region-specific campaigns emerge. 

For SOC teams, MSSPs, and threat researchers, ANY.RUN provides the depth and real-time visibility needed to investigate faster, validate threats quickly, and turn emerging behaviors into reliable detection logic. 

Explore ANY.RUN with a 14-day trial → 

About ANY.RUN 

ANY.RUN supports more than 15,000 organizations worldwide across finance, healthcare, telecom, retail, and technology, helping security teams investigate threats with clarity and confidence. 

Built for speed and deep visibility, the solution combines interactive malware analysis with live threat intelligence, allowing SOC analysts to observe real execution behavior, extract indicators, and understand attacker techniques in seconds. 

By integrating ANY.RUN’s Threat Intelligence suite into existing security workflows, teams can accelerate investigations, reduce uncertainty during incidents, and strengthen resilience against fast-evolving malware families and multi-stage attack chains. 

The post Major Cyber Attacks in November 2025: XWorm, JSGuLdr Loader, Phoenix Backdoor, Mobile Threats, and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More