Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats 

Every piece of malware leaves traces behind. Sometimes it’s a string buried deep in the code. Other times it’s a mutex, a registry key, or a network pattern. The key is knowing what to look for. 

That’s exactly what malware signatures are for. They describe these recurring elements, unique strings, behaviors, or structural patterns, that can be used to reliably identify known threats. 

Security teams use these signatures to detect and flag malicious activity; sometimes before the malware even has a chance to do damage. 

In this article, we’ll break down what malware signatures are, the different types you’ll encounter, and how tools like YARA and Suricata help turn small clues into confident decisions. 

What Is a Malware Signature? 

A malware signature is a unique indicator tied to a specific piece of malicious software. It could be a text string, a file hash, a mutex, or even a sequence of behaviors. Security tools use these signatures to recognize and flag known threats, kind of like matching fingerprints at a crime scene. 

The goal is simple: spot malware based on something that consistently shows up across samples from the same family or campaign. Once identified, these signatures become part of detection rules used by antivirus engines, sandboxes, and intrusion detection systems. 

How Are Malware Signatures Created? 

Malware signatures are usually crafted by security researchers and automated detection systems after analyzing how a threat behaves or what it contains. 

When a new malware sample is discovered, analysts break it down, looking at code, memory behavior, registry changes, network traffic, and other markers. If they notice something unique or consistently present across samples, like a specific mutex name, string, or packet structure, that becomes a potential signature. 

Depending on the tool or platform, these signatures might take different forms; 

  • Static signatures are based on strings, byte sequences, or file hashes. 
  • Behavioral signatures are based on what the malware does, like creating certain processes or modifying the registry. 
  • Custom rules, like YARA or Suricata, allow analysts to define more complex patterns based on real-world observations. 

Main Types of Malware Signatures 

Not all malware looks or behaves the same, and the same goes for how we detect it. Over time, security teams have developed different types of signatures to match different kinds of threats.  

Here are the most common ones: 

Static Signatures 

These are the most traditional and widely used. Static signatures match fixed elements inside a file, like strings, byte sequences, or hashes, without needing to run the malware. 

Key traits: 

  • Match based on file content (strings, hex patterns, hashes) 
  • Fast and efficient for known threats 
  • Can be bypassed through obfuscation or slight code changes 
  • Commonly used in antivirus software  

Heuristic Signatures

Heuristic signatures look beyond exact matches. They evaluate the structure or logic of a file to identify suspicious patterns that may indicate malware, even if the sample is new or modified. 

Key traits: 

  • Detect threats based on suspicious code structures 
  • Useful for catching variants or zero-day malware 
  • May generate false positives if too broad 
  • Often found in email filters, AVs, and static analyzers 

Behavioral Signatures 

Rather than scanning a file, these signatures monitor what it does when executed. If it behaves like malware, e.g., injecting code or modifying the registry, it gets flagged. 

Key traits: 

  • Trigger on real-time actions and behaviors 
  • Great for catching fileless or evasive malware 
  • Requires sandboxing or endpoint monitoring 
  • Common in EDRs, sandboxes, and dynamic analysis tools 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



How Detection Tools Use Signatures: YARA and Suricata 

Once malware signatures are defined, they need to be used effectively, and that’s where tools like YARA and Suricata come in. Each serves a unique purpose: one focuses on files and memory, the other on network traffic. Together, they cover a wide range of threats and detection angles. 

YARA Signatures: Matching Patterns in Files and Processes 

YARA is a rule-based detection tool that helps analysts identify malware by describing textual or binary patterns. It’s especially powerful for hunting threats across memory dumps, unpacked payloads, or large malware datasets. 

YARA helps security teams quickly identify threats by matching known patterns in files, processes, or memory. It automates what would otherwise be a slow, manual process, making detection faster, more accurate, and more scalable. 

Its real strength lies in customization. Teams can write tailored rules to catch specific malware strains or adapt to new threats as they emerge. When combined with ANY.RUN’s interactive sandbox, YARA also reveals how they behave, giving organizations the insight they need to act fast and prevent damage. 

Key benefits of YARA in a security workflow: 

  • Speeds up detection and reduces manual effort 
  • Detects both known and emerging malware families 
  • Cuts down false positives with precise rules 
  • Boosts efficiency across security teams 
  • Helps contain threats early and minimize risk 

Real-World Example: Matching the Mutex Pattern 

YARA rule example pulled from ANY.RUN sandbox analysis 

Let’s look at an example of YARA rule used in ANY.RUN’s sandbox: 

$s6 = “Local\SM0:%d:%d:%hs” wide 

This string is part of a rule designed to detect mutexes created by certain malware families.

To see this signature in action, check out this ANY.RUN analysis session

Checking mutex signature inside ANY.RUN sandbox 

Navigate to the MediaCenter.exe process → More InfoSynchronization tab. 

There, you’ll find the mutex: LocalSM0:5320:168:WilStaging_02 

YARA-based mutex signature detected inside ANY.RUN sandbox

This mutex exactly matches the YARA signature pattern. The use of placeholders like %d and %hs allows the rule to flexibly detect variations of this format across different samples. 

  • %d matches any sequence of digits (0–9) 
  • %hs matches a short string or hexadecimal value, typically 2 bytes 

This is a great example of how YARA rules aren’t just powerful, they’re also adaptable to the real-world quirks of evolving malware behavior. 

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Sign up with business email


Suricata Signatures: Detecting Malicious Behavior in Network Traffic 

While YARA focuses on identifying malware based on what it is, Suricata helps detect malware based on what it does across the network. It’s an advanced intrusion detection system (IDS) that monitors real-time traffic and flags suspicious behavior using both signature- and anomaly-based techniques. 

ANY.RUN integrates Suricata to enhance threat visibility at the network level, allowing analysts to catch threats as they try to communicate with command-and-control servers, exfiltrate data, or spread laterally. Suricata signatures give security teams immediate context; what’s happening, where, and why it matters. 

Click on the Threats tab inside ANY.RUN sandbox to view all threats detected by Suricata rules   

Key benefits of Suricata in a security workflow: 

  • Detects malicious traffic and C2 communication in real time 
  • Complements file-based detection with network-layer visibility 
  • Helps attribute threats to specific malware families 
  • Speeds up incident response with actionable alerts 
  • Empowers teams with visibility into protocol activity across multiple layers 
Suricata Rule Example from ANY.RUN Sandbox Analysis

In ANY.RUN, Suricata rules are applied automatically during sandbox analysis. Let’s take a look at a real-world detection involving Gh0st Remote Access Trojan (RAT). 

View analysis session with Gh0st RAT 

Suricata rule triggered by Gh0st RAT inside ANY.RUN 

After execution, the sample initiates suspicious encrypted traffic. Suricata instantly detects it and flags the connection as Gh0st RAT activity.

Gh0st RAT detected by Suricata 

How it works: 

  • Suricata inspects packets across protocols (HTTP, TCP, UDP, etc.) 
  • It matches patterns defined in the ET (Emerging Threats) rule sets 
  • Once a match is found, it provides detailed metadata: source/destination IPs, ports, signature ID, and threat name 
Clicking on a threat from the list reveals its details 

By switching to the Suricata rule tab, you’ll be able to inspect it more thoroughly.  

Suricata signature displayed inside the ANY.RUN sandbox 

Making the Most of Malware Signatures in ANY.RUN 

Malware signatures can do a lot on their own but when they’re used in the right environment, they become even more useful. 

Inside ANY.RUN’s sandbox, YARA and Suricata work together to give you the full picture. You can see what a file is doing locally, spot mutexes, registry changes, and other signs of malicious behavior, then switch to the network layer to catch things like encrypted C2 traffic or data exfiltration. Both angles are covered, without having to jump between tools. 

Instead of switching between tools, analysts get everything in one place; interactive, real-time, and backed by constantly updated signature sets. This gives less time digging and more time acting. 

If your goal is to reduce investigation time, improve detection accuracy, and truly understand how malware behaves, ANY.RUN puts those capabilities right at your fingertips. 

About ANY.RUN

ANY.RUN is used by over 500,000 cybersecurity professionals and 15,000+ companies across finance, manufacturing, healthcare, and other industries. Its Interactive Sandbox offers fast threat analysis for Windows, Linux, and Android, aiding malware and phishing investigations. Threat Intelligence Lookup and TI Feeds enhance cyber attack knowledge and detection.

Strengthen your company’s cyber resilience with ANY.RUN →

The post Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Year in Review: The biggest trends in ransomware

Year in Review: The biggest trends in ransomware

This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences.

Ransomware operators often prioritized stealth over complexity for initial access. They also focused on slipping past defenses with minimal noise—uninstalling security tools, creating new firewall rules for remote access, and using common, freely available tools.

The ransomware-as-a-service landscape also paints an interesting picture. A new player quickly rose through the ranks, becoming the second most prolific operator by targeting large payouts.

Something that hasn’t really changed over the years is the sectors that ransomware actors target most heavily – favouring industries that typically have lower security budgets, irregular monitoring, but highly sensitive data.

We’ve pulled together the most significant insights in a quick, 2-page PDF:

If you only have 55 seconds? Watch this video:

For the full analysis, download Talos’ 2024 Year in Review.

Cisco Talos Blog – ​Read More

12 tips on how to use WhatsApp, Telegram, Signal, Viber, WeChat, and other messaging apps safely | Kaspersky official blog

How do you keep your chats private and protect your messaging account from being stolen or hacked? Here are 12 simple rules with brief explanations of why each one is important.

Enable two-factor authentication

Why this is important. It keeps your account from being hacked or hijacked through SIM swapping or some other technique. Turning on this setting requires entering your secret password in addition to the SMS verification code when signing in to the messaging app with your account on a new device.

What to do. Open the security and privacy settings of your messaging app, enter a secret password, and memorize it. You’ll only need to enter it when linking a new device to your account. To make things easier, you can generate and store it in a secure password manager, or test the strength of your password using our free Kaspersky Password Checker.

Don’t share one-time passwords

Why this is important. If scammers want to steal your account, they’ll try to trick you into giving them the verification code after you receive it in your messaging app.

What to do. Don’t forward or dictate one-time passwords for signing in to chat apps to anyone. Your friends, support agents, companies, or banks will never need these codes. If someone is asking for a code, it’s a scammer.

Never scan QR codes outside of the messaging app

Why this is important. Some account hijacking schemes masquerade as invitations to join a group or chat. You scan a QR code in an ad, but instead of joining a neighborhood or class chat, you allow a scammer to link their device to your account.

What to do. If someone is asking you to scan a QR code, find the scanner in the messaging app — typically in the Settings. Don’t use your camera or some other QR-code scanning app. Carefully read the prompts displayed by the messaging app: it’ll tell you whether you’re joining a group or channel, or linking a new device to your account.

Carefully check new contact requests

Why this is important. Scammers typically imitate people you know: “Hi! Me again. I’ve a new phone number”. They may even know who your boss is. Many scams that result in major financial losses start with requests from “friends” or “colleagues”. Another type of attack is a “misdialed call” scam. “Is this Hannah? It’s not? Oh, sorry! I misdialed. Anyway, how are things?”

What to do. If you see a new chat, but there’s no history, stay alert! If this is supposedly an acquaintance, ask them about something only they would know. If your boss is texting you, it’s best to confirm it with them directly through a different channel, such as their office phone, work email, or in person, before proceeding. If you get a message from someone claiming it was sent in error, ignore any enticing offers, especially if accompanied by links or files.

Use the block feature

Why this is important. It’s the best way to get rid of stalkers, scammers, and clinging exes.

What to do. Don’t ignore spammers or scammers from the previous tip. Every chat app has a “Block user” button — don’t hesitate to press it! This will prevent the scammer from writing you again — or, after several reports, anyone else. This button is also a great way to minimize reminders of those unpleasant people from your past.

Think before you open a link — even if it’s from a friend

Why this is important. Your friends are vulnerable too. Scammers can compromise their accounts, then use them to send manipulative messages — pleas for help or provocations — to everyone in their contact list, aiming to extort money or hijack further accounts.

What to do. Steer clear of suspicious website links, unfamiliar file attachments, pleas for cash, requests to vote in dubious contests, messages like, “Is that really you in that photo?”, and unexpected, too-good-to-be-true offers like free premium subscriptions. To ensure you don’t stumble into these traps, delete such messages on sight. If they appear to be from someone you know, reach out using another channel, and alert them to the suspicious activity occurring under their name. If you act quickly, you might be able to help your friends recover their accounts, as 24 hours is often all there is to do so.

Restrict access to your smartphone and messaging app

Why this is important. If your phone gets stolen, or you give it to a friend, coworker, or relative, access control will keep anyone from snooping on your chats.

What to do. Enable screen lock: fingerprint, Face ID, or a long PIN. Also, enable App Lock in the phone settings or messaging app itself. Your fingerprint or PIN will be required to open the app every time. Even if you give someone an unlocked phone, they won’t be able to use the chat app.

Turn off message previews

Why this is important. A locked phone screen may display highly sensitive data: from private messages to verification codes from the bank.

What to do. Disable message previews on the lock screen. You can do that in the “Notifications” section of the phone settings.

Use disappearing and one-time-view messages

Why this is important. If you’re sharing things like Wi-Fi passwords, booking details, or your home address, which are only needed for a moment, don’t leave them in your chat history to haunt you later. What if one of you gets hacked?

What to do. When sharing sensitive data, apply either an auto-delete timer for messages or the “view once” setting, depending on the situation. If neither is an appropriate option, set a reminder to revisit the chat and delete the message for both users after an hour, day, or week.

Added bonus. This looks cool and helps keep the chat uncluttered.

Don’t send nudes!

Why this is important. Even if it’s just a one-time view message, the picture might be shown to people around or screenshotted and then used against you.

What to do. Avoid sharing anything that could upset, embarrass, jeopardize, or open you up to blackmail if published. This is true for any private information, not just nudes. If your nudes have already been leaked online, there might still be a chance to get them removed.

Be careful with group chats

Why this is important. You probably trust your friends. But how well do you know the people your friends add to groups?

What not to do. Don’t share your phone numbers, addresses, or other sensitive (your own as well as others’) personal information in large chats.

Limit your profile visibility

Why this is important. Neither scammers nor strangers need to see your profile photo or know when you were last seen online.

What to do. Open the Privacy section in the chat app settings and choose who can see your “Last Seen”, “Profile Photo”, “Status”, and so on. By default, this data is visible to everyone. Adjust the settings to your preference, choosing either “My Contacts” or “Nobody”.

Read other stories to find out how to adjust security and privacy settings in specific messaging apps, and what to do if you’ve been targeted by scammers or had your account compromised:

Kaspersky official blog – ​Read More

Threat actors thrive in chaos

Threat actors thrive in chaos

Welcome to this week’s edition of the Threat Source newsletter. 

If there’s one thing that threat actors love, it’s chaos. Headlines in the news that provoke an emotional response make excellent phishing lures because the intense feelings invoked by a provocative subject line cause our critical thinking faculties to be bypassed. Without cautious reflection, we’re likely to engage with bait, fall for the lure and “click the link” rather than pausing to ask ourselves what the headline’s writer is trying to achieve. 

Economic disruption also works in the bad guys’ favor. In budgetary crises, investments in cyber defenses may be postponed or the hiring of sorely needed additional team members delayed. Alternatively, an end-of-life device that is still functional despite obsolescence and many unpatched vulnerabilities may get an additional year of operation before replacement. 

In such a climate, security teams are often asked to do more with less. However, security can be improved simply by getting the basics right and addressing gaps that don’t require investment. Patching might be time-consuming, but it doesn’t require extra budget. Prioritize removing the most exploited vulnerabilities as listed in our 2024 Year in Review report. Next, review your MFA implementation, ensuring that it is deployed everywhere throughout the organization and that it can’t be bypassed. 

When times are tough, focus on getting the basics right and fixing what can be fixed without needing costly investment. Each vulnerability fixed, each weakness remediated helps move the security posture forwards and makes your organization a tougher target for the bad guys who in turn are more likely to seek easier quarry.

The one big thing 

We are continuing our discussion of Talos’ 2024 Year in Review report, looking at each section in detail. This week, let’s examine the evolution of email lures and the nature of the most frequently targeted vulnerabilities.

Why do I care? 

In a world of limited resources, effective defense requires identifying areas that are more likely to be targeted by threat actors and prioritizing shoring up these areas. Not all vulnerabilities or systems are exploited equally, and remediating the most frequently exploited vulnerabilities maximizes security effectiveness. 

So now what? 

Educate users on the types of social engineering that threat actors are currently using in email lures. Social engineering is not static but constantly changing to try and outwit unwary targets. 

Exploitation of the Shellshock series of vulnerabilities should not be continuing for over 10 years since disclosure. Aggressively identify systems within your IT estate that are vulnerable to this attack and urgently patch them.

Top security headlines of the week 

Hackers strike Australia’s largest pension funds. A series of coordinated attacks has reportedly led to criminals compromising in excess of 20,000 pension accounts and stealing funds. (Reuters

Ireland Plans 300-Strong Military Cyber Command. The Irish armed forces are creating a Joint Cyber Defence Command to support defensive and offensive cyber operations. (Irish Times

Baltimore City Falls Victim to Vendor Fraud. Two payments totaling $1.5 million were reportedly paid to a fraudulent bank account that had been swapped for a contractor’s genuine account. (CBS News

CISA Warns of Vulnerabilities in ICS Software. The US Cybersecurity & Infrastructure Agency released advisories relating to five series vulnerabilities in Industrial Control Systems software. (CISA)

Can’t get enough Talos?

  • Unraveling the U.S. toll road smishing scams. Talos has observed a widespread and ongoing smishing campaign since October 2024 that targets toll road users in the U.S. Read the blog here.
  • Beers with Talos: 2024 Year in Review. Joe, Hazel, Bill and Dave break down 2024 Year in Review and discuss how and why cybercriminals are learning on attacks based in stealth and simplicity. Listen here.
  • The TTP Ep 10 (Part 1). Peeling back the layers of the threats that dominated 2024. Watch now.
  • The TTP Ep 10 (Part 2). Ransomware groups, and why we’re seeing more identity attacks. Watch now.

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details 
Typical Filename: VID001.exe   
Detection Name: Simple_Custom_Detection

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe 
Detection Name: Simple_Custom_Detection  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe   
Detection Name: Coinminer:MBT.26mw.in14.Talos   

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b 
MD5: f5e908f1fac5f98ec63e3ec355ef6279 
VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details 
Typical Filename: IMG001.exe 
Detection Name: Win.Dropper.Coinminer::tpd 

Cisco Talos Blog – ​Read More

Unraveling the U.S. toll road smishing scams

  • Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.  
  • We observed that the campaign targets people across several states in the U.S. according to the domain names used in the smishing messages. 
  • Talos assesses with moderate confidence that the toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by “Wang Duo Yu”, according to the intelligence obtained by Talos. 

Toll road smishing attacks 

Unraveling the U.S. toll road smishing scams

Since the middle of Oct. 2024, Talos has seen ongoing smishing attacks impersonating U.S toll road automatic payment services (such as E-ZPass) with the intent of financial theft. The actors have so far sent SMS messages to individuals in about eight states in the U.S., including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas. Talos identified these states via spoofed domains containing the states’ two-letter abbreviations that we observed in the SMS messages. 

The actors send an SMS notification for an outstanding bill claiming that the potential victim owes a small amount of money, under $5 USD. They warn of potential late fees, prompting victims to visit a spoofed domain for the payment.  

Unraveling the U.S. toll road smishing scams
Sample phishing SMS messages. 

When the victim visits the domain, they are prompted to solve a fake image-based CAPTCHA, after which it redirects the victims to a fake webpage with the legitimate toll service’s logo. This webpage prompts the victims to enter their name and ZIP code to view their fake bill. The fake bill displays the victim’s name with a message showing that they owe approximately $4 and warning of a $35 late payment fee. 

Unraveling the U.S. toll road smishing scams

After the victim views their fake bill, they click the “Proceed Now” button which redirects them to another fake webpage. This site prompts the victim to enter their name, address, phone number and credit card information, which the threat actor eventually steals. Due to the limited visibility of the threat actor phishing infrastructure, Talos is unsure if there are any further payloads delivered to the victims’ devices. 

In April 2024, FBI’s Internet Crime Complaint Center (IC3) warned about a similar toll road smishing campaign where the threat actor used the same brand impersonation technique but with a slight difference in the SMS message language, monetary values and formatting. 

Targeting toll road users in multiple states indicates the likelihood of the threat actor leveraging user information publicly leaked from large databases. For example, the threat actor behind the 2024 National Public Data leak released billions of records publicly which were then shared on private Telegram channels for further abuse. However, Talos currently does not have any evidence to suggest that the toll road smishing campaign is fueled by the National Public Data leaks.  

Phishing infrastructure 

Talos observed that the actors have used several typosquatted domains in the SMS phishing messages to convince the potential victims to visit them. These typosquatted phishing domains were created during Oct. and Nov. 2024 and were observed resolving to one of the following IP addresses: 45[.]152[.]115[.]161 and 82[.]147[.]88[.]22.  

As of March 2025, Talos is still seeing new domains registered by the threat actors for the toll road scams, implying that the campaign is ongoing. During our research period, these newly registered domains resolved to the IP address 43[.]156[.]47[.]209. 

Unraveling the U.S. toll road smishing scams

Smishing kits likely used in the U.S. toll road scams 

Talos assesses with moderate confidence that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as “Wang Duo Yu”, according to the intelligence obtained by Talos. 

We have observed similar smishing kits being used by the organized cybercrime group known as the “Smishing Triad.” This group has conducted large-scale smishing attacks targeting mail services in multiple countries, including the United States Postal Service (USPS), as well as the financial and commercial sectors previously reported by Resecurity

Talos discovered references to specific phishing kits that are targeting toll systems in the DY Tongbu Telegram channel on “老王同步源码开发教学” translated to “Lao Wang Synchronized Source Code Development Tutorial.”  

Unraveling the U.S. toll road smishing scams
Public Lao Wang Synchronized Source Code Development Tutorial Telegram channel.

The Telegram channel shared details about a phishing module that allegedly spoofs the Massachusetts MassDOT’s EZDriveMA toll system, as well as a phishing module that targets customers of the North Texas Toll Authority. At the time of publication, the Telegram channel had more than 4,400 subscribers. 

Further investigation has revealed that the developer, 王多余 (translated to Wang Duo Yu), has developed a similar smishing kit and operates the Lao Wang Synchronized Source Code Development Tutorial Telegram channel from two separate accounts. The pictures shown below display screenshots of the two telegram accounts related to Wang Duo Yu. 

Unraveling the U.S. toll road smishing scams
Two telegram accounts related to Wang Duo Yu. 

Additionally, we noticed that the developer has created a YouTube channel where they upload tutorial videos. These videos cover topics such as “How to Build a PMTA Mail Server,” “Setting Up an Automatic EPUSD Payment and Vending System,” “Creating a Pagoda Panel Website (宝塔面板),” “Building the Simplest and Safest Node Using Native Tools,” and “Using the X-UI Panel to Set Up a VMess+WS+TLS+Web or VLess+WS+TLS+Web Node.”  Each video guides users on building basic web services or mail servers. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu’s YouTube channel. 

There are also some private video links that cannot be found elsewhere. Talos found one such video on a Chinese forum. To access the post with the video link, users need special permissions in that forum. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu’s YouTube channel with private video. 

We also observed Wang Duo Yu promoting their smishing kits business and tutorials on other Telegram channels, also offering personal lessons that include full-stack development, mail server setup and Telegram bot development. The threat actor offers a two-hour lesson each day and provides one-on-one instruction via remote desktop, charging ¥5888 (converting to approx. US $806 at time of publication) per class. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu marketing the kits in telegram channels. 

One of the Telegram channels shown in the above picture is called, “向前论坛,” translating to ” Xiangqian Forum,” of which Wang Duo Yu is a moderator. Wang Duo Yu posted articles in this forum to increase subscribers, promoted their own teaching courses, and provided links and discount codes for purchasing VPS and domains. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu selling the VPS and cloud services through his website. 

We also found an additional website selling the VPS and cloud services, confirmed to be owned by Wang Duo Yu.  The “wangduoyu[.]vip” website was active from 2022 to 2023. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu’s shop website. 
Unraveling the U.S. toll road smishing scams
Wang Duo Yu’s shop DNS resolved IPs and active periods of time. 

We observed that Wang Duo Yu offers the toll smishing kit source code for sale and provides services to assist in setting up the whole system. In a forum post, they stated that anyone interested can reach out to their personal Telegram account “@wangduofish”. The post also includes hidden content only visible to users with VIP access. 

Unraveling the U.S. toll road smishing scams
Wang Duo Yu’s post includes hidden content only visible with VIP access. 

Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels. The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support. The threat actor also offers updated releases for multiple source code versions. The offers on the Telegram channel revealed that the smishing kits and source code primarily target large public-facing entities with a large end-userbase, such as toll road operators, banks and postal services. 

Coverage

Unraveling the U.S. toll road smishing scams

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Indicators of Compromise  

IOCs for this threat can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Protecting against attacks in ZIP, RAR, CAB, MSI, ISO and other archives | Kaspersky official blog

Archiving programs designed to simplify file storage and transfers have become common tools not only for users but also for attackers. Malicious archives are regularly found in both targeted attacks and ransomware incidents. Attackers mainly use them to bypass security measures, deceive users, and, of course, extract stolen data. This means cybersecurity and IT departments should pay close attention to how archives are handled in operating systems, business applications, and security tools. Let’s now look at how attackers can use archives.

Delivering malware by bypassing “Mark of the Web” warnings

Due to the logical features and vulnerabilities of certain archivers, when unpacked in Windows, the extracted files may not receive the “downloaded from the internet” attribute (Mark of the Web, or MotW). Technically, these attributes are stored in an NTFS alternate data stream: Zone.Identifier. If this identifier points to an external source (ZoneID = 3 or 4), Windows shows a warning when you attempt to run the executable file, and Office automatically opens potentially unsafe documents in Protected View.

By exploiting flaws in archivers, attackers bypass this layer of protection. The most recent vulnerability of this type is CVE-2025-31334 in WinRAR, but there are others: CVE-2025-0411 in 7-Zip, CVE-2024-8811 in WinZip, and more. Note that some archivers don’t support MotW at all, and only apply it to certain file extensions, or only do so when files are unpacked in a certain way. A table comparing MotW support in archivers is available on GitHub.

Automatic malware execution via archiver vulnerabilities

When a user performs a seemingly safe action (like viewing an archive or opening a harmless-looking file within it), under certain conditions the archiver can execute a malicious file or shellcode. A recent example of such a vulnerability was CVE-2024-11477 in the Zstandard algorithm, used by 7-Zip for compression. This flaw hasn’t been seen in real-world attacks yet — unlike CVE-2023-38831 in WinRAR, which was widely exploited by attackers ranging from APT espionage groups to initial access brokers. This WinRAR vulnerability allowed execution of a file from an archive when trying to view an image if the EXE file was placed in a folder with the same name as the image.

In March 2025, a similar defect was discovered in an unusual place — the Vim editor, popular among *nix users. Its standard tar.vim plugin lets users view and edit files directly inside TAR archives. CVE-2025-27423 allowed arbitrary shell command execution when editing a file from a malicious archive.

Server compromise via archive uploads

If an organization has a public web app that can handle archive uploads (such as attaching files to forms), vulnerabilities in archive unpacking can be used to hijack servers. A classic method is Zip Slip, which uses symbolic links in archives to bypass input sanitization and exploit path traversal vulnerabilities to compromise server-side applications.  A list of various ZIP-handling libraries where this vulnerability has been patched (there are over 20 CVEs) is available on GitHub. It’s worth checking out to see how many instances of software can be affected by this flaw.

Even though Zip Slip was first described in 2018, logical flaws in server-side archive unpacking are still common — as seen in this 2025 pentest and the recent vulnerability CVE-2024-12905 in tar-fs.

Bypassing security with corrupted archives

Attackers may intentionally corrupt archive contents so that automated scanners and security tools fail to analyze them fully. However, the victim can still manually recover and open the respective file with minimal effort. A recent example is the exploitation of MS Office’s “document recovery” feature — since Office files are essentially ZIP archives. Security tools and archivers may fail to scan such documents, but Word can restore and open them.

Masking malware with exotic formats

Beyond common formats like ZIP, RAR, and TAR/TAR.GZ, attackers frequently use disk image files (ISO, IMG, VHD), Windows archives (CAB, MSI), and even legacy or obscure archive types: ARJ, ACE, ICE, and others. Security tools often don’t handle these well, while modern universal archivers like WinRAR can still open them.

Disguising malware using the Matryoshka method

Mail scanners and other security tools often have configurable limits to reduce server load (for example, they may skip scanning very large files or nested archives). If an attacker creates a “matryoshka doll” (aka a “Russian doll”), of several nested archives, there’s a higher chance that the innermost archive won’t be automatically scanned in the targeted organization.

Bypassing security tools and tricking users using legitimate archive features

Attackers often combine social engineering and technical tricks to get users to perform desired actions with archives without triggering security alerts. These techniques include the following:

Encrypted archives. A classic trick from the early 2000s, which still works today. The victim receives a password-protected archive, and the password is either sent in a separate email or instant message, or hinted at within the original email itself: “The password is the current year repeated twice”. For example, this method was used in the Emotet malware campaigns.

Self-extracting archives. These were originally useful in the days before archive utilities were built into all operating systems. Today, they allow attackers to easily install malware by bundling all the necessary components into a single file. For instance, the NeedleDropper attack used a self-extracting archive to extract a popular legitimate tool, AutoIT, along with malicious AutoIT scripts, which were then executed. The attacker simply needs to trick the victim into running the archive.

A combination of the above. Some attacks use self-extracting archives that, once executed, unpack a password-protected inner archive. Technically, this password is stored within the outer archive, but few security tools can detect it there and use.

Double-extension archives. Another classic is a self-extracting archive with a “.pdf.exe” extension and an Acrobat Reader icon assigned by the archiver. For victims who are not too IT-savvy, these tricks are still convincing.

Multi-volume archives. This function was originally used to split large files across CDs, flash drives and so on. Today, this rarely-used feature is still supported by archivers. Attackers use it to divide malware among volumes, or bypass scanning entirely, as some tools are configured only to scan ZIP or RAR files, but not R01, R02, and so on.

Polyglot files. Attackers can combine different file types into a single one, so, for example, one app opens the file as a PDF and another as a ZIP archive. This works in part because technical ZIP file headers are located at the end of the file, not at the beginning. We recently covered an attack by the Head Mare group, where phishing emails contained a polyglot file made of both a malicious EXE file (with the PhantomPyramid backdoor) and a small, harmless ZIP archive. When clicked normally, it would open as a ZIP, but when launching the shortcut inside, the same polyglot file would execute as an EXE via PowerShell.  Another version of the same method combines two archives in one polyglot file.

Self-extracting archives as launch tools. A more exotic variant — which has been seen in actual attacks — involves self-extracting archives that contain no actual files but include post-extraction commands to launch system tools like PowerShell or CMD, which are common in LotL attacks.

Data exfiltration

Compressing data and encrypting an archive before exiting the attacked network is well documented under MITRE ATT&CK technique T1560. Attackers use all options available: everything from basic archive tools on infected machines to popular archiving libraries built into the malware. In LotL attacks, attackers can combine techniques, using Windows utilities to collect files from other hosts and simultaneously archive them (diantz).

Protective measures when handling archives

These measures should be prioritized and adapted based on the profile of your organization, department, and role.  To protect yourself:

Test your security tools with tricky cases: exotic archive formats, corrupted archives, and polyglot files. If direct testing is difficult, ask your vendor’s tech-support whether these cases are covered. At a minimum, test your mail gateway, NGFW, EDR/XDR solution, and sandbox (if it’s a separate solution). For example, in Kaspersky Secure Mail Gateway, the sandbox is an integral part of the security architecture and prevents most malicious attachments from opening.

Set up safe extraction. Ensure your security solution can scan deeply nested archives and large files. Different tools will vary in this area: while mail filters can thoroughly scan attachments and detonate them in a sandbox, NGFWs will probably just check the reputation of the archive itself and its visible files.  Therefore, deeper analysis should be used on both endpoints and mail gateways, while web filters and NGFWs should apply lighter checks within their limitations. In any case, archives that exceed reasonable analysis capabilities should be blocked or quarantined.

Block dangerous archives. Uploading archives in exotic formats, as well as self-extracting archives, is rarely necessary, so this functionality can be blocked on hosts. Additionally, using trusted application management (apps allowlist, application control), you can prohibit the execution of all archivers except the one or two that are permitted and actually used within the organization. It’s important to analyze the use of built-in OS archiving tools and block those that aren’t used by employees or the IT department. Make sure that none of the approved tools for Windows machines are ones that have no support for Mark-of-the-Web (MotW).

Block automatic mounting of disk images. Although disk images are not exactly archives, attackers use them in similar ways. Usage of disk images should be disabled through group policy for all employees who don’t need it for legitimate business purposes.

Monitor the use of archivers on endpoints. Ensure that your EDR solution and monitoring tools (SIEM, XDR) have rules to help detect suspicious activity related to archives: launching files from temporary folders, launching processes from within an archiver, and so on. Monitoring is also needed to detect data theft attempts indicated by archiving data from network folders, creating password-protected archives, creating very large archives, and so on.

Restrict the use of archives in server-side applications. If uploading archived files is not a critically important business function, it’s better to disable this feature in CMS, CRM, and other online applications. Ensuring its security can be challenging. If archives are required, be sure that the folders where these archives are uploaded are monitored by an EDR agent on the server, that the server application itself is updated regularly, and that the permissions granted to the application don’t allow it to write files to any folders outside its designated directories.

Include archivers and archive-processing applications in your vulnerability management program. Archivers should be updated no less frequently than the operating system and office software.

Train employees. Cybersecurity training for employees should cover phishing as well as general rules for safe handling of archives: pay attention to any pop-ups or unexpected prompts when opening familiar file types (DOC, PDF), only extract archives using the archiving application approved by the company, and if an archive immediately prompts for a password upon clicking the file, don’t extract it under any circumstances and immediately report it to the security team.

Kaspersky official blog – ​Read More

Watch out for these traps lurking in search results

Here’s how to avoid being hit by fraudulent websites that scammers can catapult directly to the top of your search results

WeLiveSecurity – ​Read More

So your friend has been hacked: Could you be next?

When a ruse puts on a familiar face, your guard might drop, making you an easy mark. Learn how to tell a friend apart from a foe.

WeLiveSecurity – ​Read More

GetShared phishing | Kaspersky official blog

A former colleague of ours recently received a suspicious email notification from GetShared — a genuine service he was unfamiliar with. Being the paranoid cautious type that he is (he did work at Kaspersky, after all), he didn’t click the link but instead forwarded the notification straight to us. A closer look at the email message confirmed it was a scam. Indeed, our email security statistics suggest that GetShared has been gaining popularity with scammers. We explain how GetShared is used in attacks, why attackers use it, and how to stay safe.

What a GetShared attack looks like

The victim receives a normal, authentic email notification from GetShared informing them that someone has sent them a file. The message specifies the file name and extension. For example, in the attack targeting our ex-colleague’s employer, it was “DESIGN LOGO.rar”.

Email notification from GetShared

Sample scam email sent as a GetShared notification

The message that accompanies the link employs a classic phishing trick: scammers inquire about prices for items supposedly listed in the attachment. To add a veneer of legitimacy, they ask about delivery time and payment details.

Why malicious actors use GetShared and other third-party services

Security solutions filter out the vast majority of spam, phishing, scam emails, and malicious attachments at the email gateway level. A popular and effective tactic for scammers trying to bypass these defenses is to send emails through legitimate services like Google Calendar or Dropbox. These services, naturally, are uncomfortable being unwitting accomplices in cybercrimes, so they constantly improve their own countermeasures, tighten signup rules, and so on. Therefore, scammers keep looking for new services to exploit. GetShared — a free service for sending large files — turned out to be yet another exploitable tool.

Signs that something’s phishy

Let’s step back from this specific case and GetShared for a moment. Ask yourself: is it really normal practice to send a business inquiry as a note in some random third-party file-sharing service? Assuming a hypothetical client has a genuine business need to transmit a file — say, documents relating to an order — via an external service, they’d typically arrange it first through standard email correspondence before sending you a barrage of notifications. This is business etiquette 101.

When someone asks you to view a text document on a third-party service, there can only be three explanations:

  • A security engine flags the document as spam, phishing, or scam.
  • The document contains links to a scam, phishing, or malicious website.
  • The document is infected, or the attachment is actually a malicious executable rather than a document.

In this particular instance, the service was used to distribute a text file containing a rather absurd request to get in touch with the malicious actors — they were trying to start a conversation to then develop the attack through social engineering.

Coming back to the email campaign we observed, this notification looks especially suspicious, primarily due to the glaring mismatch between the name of the file and the text accompanying it. The message hints at some list of goods, whereas the filename strongly suggests a design project.

Furthermore, take a close look at the sender’s address, which is stated clearly in the notification. A quick search for the domain name immediately reveals that this email address is likely used by scammers.

How to defend against such attacks

To protect your company from scam emails sent through GetShared or any other legitimate services, we recommend the following:

Kaspersky official blog – ​Read More

Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It

While developing our Security Training Lab educational program, we at ANY.RUN have turned to well-established theories of education, cognitive skill development, and the psychology of learning. Their foundational principles emphasize one critical truth: practice is indispensable for mastering complex skills.  

In the field of cybersecurity—especially in malware analysis—the ability to apply theoretical knowledge in real-world scenarios is what separates competent professionals from novices. Inspired by this understanding, we designed the Security Training Lab to bridge the gap between classroom theory and the practical demands of the cybersecurity industry. Students, we believe, are to be equipped to tackle real threats from day one. 

As a malware analysis solutions developer, ANY.RUN has all the resources and capabilities to provide the audience of its educational program with as much practice as it’s ready to digest.  

How Security Training Lab Offers Practice-Oriented Training 

Of course, nobody is going to toss future malware analysts in at the deep end unprepared and watch them flounder in a lake of real cyber threats. Security Training Lab is based on 30 hours of academic content including texts and video lectures.

The program includes modules on:

  • Advanced static and dynamic malware analysis
  • Study of malware behavior, malicious scripts, files, and macros
  • The basics of encryption  
The Program’s structure and contents 

Interactive tasks and tests appear at the end of each module and in the final exam. But real-world examples of detonated, dissected, and analyzed malware run through the entirety of learning material encouraging trainees to find an example or perform a task of their own, to practice their newly acquired skills.

Reach out to our experts to integrate
ANY.RUN’s Security Training Lab in your university 



Contact us


How Security Training Lab Benefits Universities

The emphasis on applicable knowledge and practical experience are not the only features of the Security Training Lab valuable for educational organizations. As a ready-made, expert-supported solution, it offers universities the following benefits:  

  • No setup hassle: full access to ANY.RUN’s Interactive Sandbox for instructors and students. The course is available and ready for use on the Seturon platform. There is no need to set up complex environments or worry about local security.
  • Up-to-date: based on the latest malware samples, techniques, and real-world scenarios, keeping the curriculum relevant. 
  • Scalable for classrooms and remote learners: supports self-paced, instructor-led, and hybrid learning formats. 
  • Built-in analytics: instructors can track progress and assess students’ practical skills. 

The Key to Effective Learning: Interactive Sandbox 

Students don’t just read about malicious scripts, ransomware, or phishing kits—they dissect them. Through ANY.RUN’s Interactive Sandbox, they gain full access to a virtualized environment where they can upload, execute, and analyze live threats. 

Public reports with malware samples submitted by ANY.RUN’s users

They also gain access to a repository of malware samples submitted by ANY.RUN’s user community of more than 500,000 cybersecurity professionals. These users (including 15,000 corporate SOC teams that face the most current and dangerous threats) leave public reports on their analysis sessions that students can explore and analyze of their own.

A task for working with public reports

All students of the Security Training Lab have an unlimited access to the Sandbox, so they can go far beyond examples and tasks in the program. 

Launching a suspected malware sample analysis in sandbox’s virtual environment

For example, a student might analyze a phishing link disguised as a legitimate URL, interact with it in the sandbox, and observe how it attempts to steal credentials or deploy secondary malware. Another might de-obfuscate a malicious script, uncovering its hidden payload step-by-step.

Investigating a suspicious link in ANY.RUN’s Sandbox 

These exercises simulate the real-life scenarios analysts face — whether it’s investigating a targeted attack on a corporate network or responding to a widespread malware campaign. By engaging with authentic samples, students learn to recognize patterns, anticipate attacker tactics, and develop effective mitigation strategies. 


Learn more about Security Training Lab

Learn more about Security Training Lab

Discover the key benefits of integrating Security Training Lab for both students and universities



A Dive into Practice: Full Scope of Tools 

Of course, the hands-on part of the Security Training Lab curriculum is not based solely on ANY.RUN’s tools.

A number of modules introduce students to key professional tools

A malware analysis expert is to employ an arsenal of instruments, so it’s vital for the students to start acquainting with them early and intensely.

Conclusion  

The cybersecurity industry is experiencing a global talent shortage, particularly in skilled threat researchers and malware analysts. With the Security Training Lab, we help to address this gap by providing a practice-first, job-relevant learning experience. 

Through hands-on training with real malware samples and simulations of workplace challenges, we’re preparing students not just to understand cyber threats, but to defeat them.  

By integrating ANY.RUN’s course into the academic program, universities meet the challenges of offering a competitive educational product, answering to the market urges, and providing their students with the most promising career opportunities.  

For Universities: Contact ANY.RUN to integrate Security Training Lab in your curriculum 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across numerous industries, including banking, manufacturing, and healthcare. Our interactive malware analysis and threat intelligence tools allow companies and SOC teams to speed up their threat investigations, ensure proactive security, and build stronger and more resilient operations.

The post Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More