Every piece of malware leaves traces behind. Sometimes it’s a string buried deep in the code. Other times it’s a mutex, a registry key, or a network pattern. The key is knowing what to look for. 

That’s exactly what malware signatures are for. They describe these recurring elements, unique strings, behaviors, or structural patterns, that can be used to reliably identify known threats. 

Security teams use these signatures to detect and flag malicious activity; sometimes before the malware even has a chance to do damage. 

In this article, we’ll break down what malware signatures are, the different types you’ll encounter, and how tools like YARA and Suricata help turn small clues into confident decisions. 

What Is a Malware Signature? 

A malware signature is a unique indicator tied to a specific piece of malicious software. It could be a text string, a file hash, a mutex, or even a sequence of behaviors. Security tools use these signatures to recognize and flag known threats, kind of like matching fingerprints at a crime scene. 

The goal is simple: spot malware based on something that consistently shows up across samples from the same family or campaign. Once identified, these signatures become part of detection rules used by antivirus engines, sandboxes, and intrusion detection systems. 

How Are Malware Signatures Created? 

Malware signatures are usually crafted by security researchers and automated detection systems after analyzing how a threat behaves or what it contains. 

When a new malware sample is discovered, analysts break it down, looking at code, memory behavior, registry changes, network traffic, and other markers. If they notice something unique or consistently present across samples, like a specific mutex name, string, or packet structure, that becomes a potential signature. 

Depending on the tool or platform, these signatures might take different forms; 

• Static signatures are based on strings, byte sequences, or file hashes. 
• Behavioral signatures are based on what the malware does, like creating certain processes or modifying the registry. 
• Custom rules, like YARA or Suricata, allow analysts to define more complex patterns based on real-world observations. 

Main Types of Malware Signatures 

Not all malware looks or behaves the same, and the same goes for how we detect it. Over time, security teams have developed different types of signatures to match different kinds of threats.  

Here are the most common ones: 

Static Signatures 

These are the most traditional and widely used. Static signatures match fixed elements inside a file, like strings, byte sequences, or hashes, without needing to run the malware. 

Key traits: 

• Match based on file content (strings, hex patterns, hashes) 
• Fast and efficient for known threats 
• Can be bypassed through obfuscation or slight code changes 
• Commonly used in antivirus software  

Heuristic Signatures

Heuristic signatures look beyond exact matches. They evaluate the structure or logic of a file to identify suspicious patterns that may indicate malware, even if the sample is new or modified. 

Key traits: 

• Detect threats based on suspicious code structures 
• Useful for catching variants or zero-day malware 
• May generate false positives if too broad 
• Often found in email filters, AVs, and static analyzers 

Behavioral Signatures 

Rather than scanning a file, these signatures monitor what it does when executed. If it behaves like malware, e.g., injecting code or modifying the registry, it gets flagged. 

Key traits: 

• Trigger on real-time actions and behaviors 
• Great for catching fileless or evasive malware 
• Requires sandboxing or endpoint monitoring 
• Common in EDRs, sandboxes, and dynamic analysis tools 

How Detection Tools Use Signatures: YARA and Suricata 

Once malware signatures are defined, they need to be used effectively, and that’s where tools like YARA and Suricata come in. Each serves a unique purpose: one focuses on files and memory, the other on network traffic. Together, they cover a wide range of threats and detection angles. 

YARA Signatures: Matching Patterns in Files and Processes 

YARA is a rule-based detection tool that helps analysts identify malware by describing textual or binary patterns. It’s especially powerful for hunting threats across memory dumps, unpacked payloads, or large malware datasets. 

YARA helps security teams quickly identify threats by matching known patterns in files, processes, or memory. It automates what would otherwise be a slow, manual process, making detection faster, more accurate, and more scalable. 

Its real strength lies in customization. Teams can write tailored rules to catch specific malware strains or adapt to new threats as they emerge. When combined with ANY.RUN’s interactive sandbox, YARA also reveals how they behave, giving organizations the insight they need to act fast and prevent damage. 

Key benefits of YARA in a security workflow: 

• Speeds up detection and reduces manual effort 

• Detects both known and emerging malware families 

• Cuts down false positives with precise rules 

• Boosts efficiency across security teams 

• Helps contain threats early and minimize risk 

Real-World Example: Matching the Mutex Pattern 

Let’s look at an example of YARA rule used in ANY.RUN’s sandbox: 

$s6 = “Local\SM0:%d:%d:%hs” wide 

This string is part of a rule designed to detect mutexes created by certain malware families.

To see this signature in action, check out this ANY.RUN analysis session. 

Navigate to the MediaCenter.exe process → More Info → Synchronization tab. 

There, you’ll find the mutex: LocalSM0:5320:168:WilStaging_02 

This mutex exactly matches the YARA signature pattern. The use of placeholders like %d and %hs allows the rule to flexibly detect variations of this format across different samples. 

• %d matches any sequence of digits (0–9) 

• %hs matches a short string or hexadecimal value, typically 2 bytes 

This is a great example of how YARA rules aren’t just powerful, they’re also adaptable to the real-world quirks of evolving malware behavior. 

Suricata Signatures: Detecting Malicious Behavior in Network Traffic 

While YARA focuses on identifying malware based on what it is, Suricata helps detect malware based on what it does across the network. It’s an advanced intrusion detection system (IDS) that monitors real-time traffic and flags suspicious behavior using both signature- and anomaly-based techniques. 

ANY.RUN integrates Suricata to enhance threat visibility at the network level, allowing analysts to catch threats as they try to communicate with command-and-control servers, exfiltrate data, or spread laterally. Suricata signatures give security teams immediate context; what’s happening, where, and why it matters. 

Key benefits of Suricata in a security workflow: 

• Detects malicious traffic and C2 communication in real time 
• Complements file-based detection with network-layer visibility 
• Helps attribute threats to specific malware families 
• Speeds up incident response with actionable alerts 
• Empowers teams with visibility into protocol activity across multiple layers 

In ANY.RUN, Suricata rules are applied automatically during sandbox analysis. Let’s take a look at a real-world detection involving Gh0st Remote Access Trojan (RAT). 

View analysis session with Gh0st RAT 

After execution, the sample initiates suspicious encrypted traffic. Suricata instantly detects it and flags the connection as Gh0st RAT activity.

How it works: 

• Suricata inspects packets across protocols (HTTP, TCP, UDP, etc.) 
• It matches patterns defined in the ET (Emerging Threats) rule sets 
• Once a match is found, it provides detailed metadata: source/destination IPs, ports, signature ID, and threat name 

By switching to the Suricata rule tab, you’ll be able to inspect it more thoroughly.  

Making the Most of Malware Signatures in ANY.RUN 

Malware signatures can do a lot on their own but when they’re used in the right environment, they become even more useful. 

Inside ANY.RUN’s sandbox, YARA and Suricata work together to give you the full picture. You can see what a file is doing locally, spot mutexes, registry changes, and other signs of malicious behavior, then switch to the network layer to catch things like encrypted C2 traffic or data exfiltration. Both angles are covered, without having to jump between tools. 

Instead of switching between tools, analysts get everything in one place; interactive, real-time, and backed by constantly updated signature sets. This gives less time digging and more time acting. 

If your goal is to reduce investigation time, improve detection accuracy, and truly understand how malware behaves, ANY.RUN puts those capabilities right at your fingertips. 

About ANY.RUN

ANY.RUN is used by over 500,000 cybersecurity professionals and 15,000+ companies across finance, manufacturing, healthcare, and other industries. Its Interactive Sandbox offers fast threat analysis for Windows, Linux, and Android, aiding malware and phishing investigations. Threat Intelligence Lookup and TI Feeds enhance cyber attack knowledge and detection.

Strengthen your company’s cyber resilience with ANY.RUN →

The post Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How do you keep your chats private and protect your messaging account from being stolen or hacked? Here are 12 simple rules with brief explanations of why each one is important.

Enable two-factor authentication

Why this is important. It keeps your account from being hacked or hijacked through SIM swapping or some other technique. Turning on this setting requires entering your secret password in addition to the SMS verification code when signing in to the messaging app with your account on a new device.

What to do. Open the security and privacy settings of your messaging app, enter a secret password, and memorize it. You’ll only need to enter it when linking a new device to your account. To make things easier, you can generate and store it in a secure password manager, or test the strength of your password using our free Kaspersky Password Checker.

Don’t share one-time passwords

Why this is important. If scammers want to steal your account, they’ll try to trick you into giving them the verification code after you receive it in your messaging app.

What to do. Don’t forward or dictate one-time passwords for signing in to chat apps to anyone. Your friends, support agents, companies, or banks will never need these codes. If someone is asking for a code, it’s a scammer.

Never scan QR codes outside of the messaging app

Why this is important. Some account hijacking schemes masquerade as invitations to join a group or chat. You scan a QR code in an ad, but instead of joining a neighborhood or class chat, you allow a scammer to link their device to your account.

What to do. If someone is asking you to scan a QR code, find the scanner in the messaging app — typically in the Settings. Don’t use your camera or some other QR-code scanning app. Carefully read the prompts displayed by the messaging app: it’ll tell you whether you’re joining a group or channel, or linking a new device to your account.

Carefully check new contact requests

Why this is important. Scammers typically imitate people you know: “Hi! Me again. I’ve a new phone number”. They may even know who your boss is. Many scams that result in major financial losses start with requests from “friends” or “colleagues”. Another type of attack is a “misdialed call” scam. “Is this Hannah? It’s not? Oh, sorry! I misdialed. Anyway, how are things?”

What to do. If you see a new chat, but there’s no history, stay alert! If this is supposedly an acquaintance, ask them about something only they would know. If your boss is texting you, it’s best to confirm it with them directly through a different channel, such as their office phone, work email, or in person, before proceeding. If you get a message from someone claiming it was sent in error, ignore any enticing offers, especially if accompanied by links or files.

Use the block feature

Why this is important. It’s the best way to get rid of stalkers, scammers, and clinging exes.

What to do. Don’t ignore spammers or scammers from the previous tip. Every chat app has a “Block user” button — don’t hesitate to press it! This will prevent the scammer from writing you again — or, after several reports, anyone else. This button is also a great way to minimize reminders of those unpleasant people from your past.

Think before you open a link — even if it’s from a friend

Why this is important. Your friends are vulnerable too. Scammers can compromise their accounts, then use them to send manipulative messages — pleas for help or provocations — to everyone in their contact list, aiming to extort money or hijack further accounts.

What to do. Steer clear of suspicious website links, unfamiliar file attachments, pleas for cash, requests to vote in dubious contests, messages like, “Is that really you in that photo?”, and unexpected, too-good-to-be-true offers like free premium subscriptions. To ensure you don’t stumble into these traps, delete such messages on sight. If they appear to be from someone you know, reach out using another channel, and alert them to the suspicious activity occurring under their name. If you act quickly, you might be able to help your friends recover their accounts, as 24 hours is often all there is to do so.

Restrict access to your smartphone and messaging app

Why this is important. If your phone gets stolen, or you give it to a friend, coworker, or relative, access control will keep anyone from snooping on your chats.

What to do. Enable screen lock: fingerprint, Face ID, or a long PIN. Also, enable App Lock in the phone settings or messaging app itself. Your fingerprint or PIN will be required to open the app every time. Even if you give someone an unlocked phone, they won’t be able to use the chat app.

Turn off message previews

Why this is important. A locked phone screen may display highly sensitive data: from private messages to verification codes from the bank.

What to do. Disable message previews on the lock screen. You can do that in the “Notifications” section of the phone settings.

Use disappearing and one-time-view messages

Why this is important. If you’re sharing things like Wi-Fi passwords, booking details, or your home address, which are only needed for a moment, don’t leave them in your chat history to haunt you later. What if one of you gets hacked?

What to do. When sharing sensitive data, apply either an auto-delete timer for messages or the “view once” setting, depending on the situation. If neither is an appropriate option, set a reminder to revisit the chat and delete the message for both users after an hour, day, or week.

Added bonus. This looks cool and helps keep the chat uncluttered.

Don’t send nudes!

Why this is important. Even if it’s just a one-time view message, the picture might be shown to people around or screenshotted and then used against you.

What to do. Avoid sharing anything that could upset, embarrass, jeopardize, or open you up to blackmail if published. This is true for any private information, not just nudes. If your nudes have already been leaked online, there might still be a chance to get them removed.

Be careful with group chats

Why this is important. You probably trust your friends. But how well do you know the people your friends add to groups?

What not to do. Don’t share your phone numbers, addresses, or other sensitive (your own as well as others’) personal information in large chats.

Limit your profile visibility

Why this is important. Neither scammers nor strangers need to see your profile photo or know when you were last seen online.

What to do. Open the Privacy section in the chat app settings and choose who can see your “Last Seen”, “Profile Photo”, “Status”, and so on. By default, this data is visible to everyone. Adjust the settings to your preference, choosing either “My Contacts” or “Nobody”.

Read other stories to find out how to adjust security and privacy settings in specific messaging apps, and what to do if you’ve been targeted by scammers or had your account compromised:

• WhatsApp and Telegram account hijacking: how to protect yourself against scams
• Setting up both security and privacy in WhatsApp
• What to do if your WhatsApp account gets hacked
• Telegram security and privacy tips
• What to do if your Telegram account is hacked
• … and others

Kaspersky official blog – ​Read More

• Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.  
• We observed that the campaign targets people across several states in the U.S. according to the domain names used in the smishing messages. 
• Talos assesses with moderate confidence that the toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by “Wang Duo Yu”, according to the intelligence obtained by Talos. 

Toll road smishing attacks 

Since the middle of Oct. 2024, Talos has seen ongoing smishing attacks impersonating U.S toll road automatic payment services (such as E-ZPass) with the intent of financial theft. The actors have so far sent SMS messages to individuals in about eight states in the U.S., including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas. Talos identified these states via spoofed domains containing the states’ two-letter abbreviations that we observed in the SMS messages. 

The actors send an SMS notification for an outstanding bill claiming that the potential victim owes a small amount of money, under $5 USD. They warn of potential late fees, prompting victims to visit a spoofed domain for the payment.  

When the victim visits the domain, they are prompted to solve a fake image-based CAPTCHA, after which it redirects the victims to a fake webpage with the legitimate toll service’s logo. This webpage prompts the victims to enter their name and ZIP code to view their fake bill. The fake bill displays the victim’s name with a message showing that they owe approximately $4 and warning of a $35 late payment fee. 

After the victim views their fake bill, they click the “Proceed Now” button which redirects them to another fake webpage. This site prompts the victim to enter their name, address, phone number and credit card information, which the threat actor eventually steals. Due to the limited visibility of the threat actor phishing infrastructure, Talos is unsure if there are any further payloads delivered to the victims’ devices. 

In April 2024, FBI’s Internet Crime Complaint Center (IC3) warned about a similar toll road smishing campaign where the threat actor used the same brand impersonation technique but with a slight difference in the SMS message language, monetary values and formatting. 

Targeting toll road users in multiple states indicates the likelihood of the threat actor leveraging user information publicly leaked from large databases. For example, the threat actor behind the 2024 National Public Data leak released billions of records publicly which were then shared on private Telegram channels for further abuse. However, Talos currently does not have any evidence to suggest that the toll road smishing campaign is fueled by the National Public Data leaks.  

Phishing infrastructure 

Talos observed that the actors have used several typosquatted domains in the SMS phishing messages to convince the potential victims to visit them. These typosquatted phishing domains were created during Oct. and Nov. 2024 and were observed resolving to one of the following IP addresses: 45[.]152[.]115[.]161 and 82[.]147[.]88[.]22.  

As of March 2025, Talos is still seeing new domains registered by the threat actors for the toll road scams, implying that the campaign is ongoing. During our research period, these newly registered domains resolved to the IP address 43[.]156[.]47[.]209. 

Smishing kits likely used in the U.S. toll road scams 

Talos assesses with moderate confidence that multiple threat actors are operating the toll road smishing campaign by leveraging a smishing kit developed by the actor known as “Wang Duo Yu”, according to the intelligence obtained by Talos. 

We have observed similar smishing kits being used by the organized cybercrime group known as the “Smishing Triad.” This group has conducted large-scale smishing attacks targeting mail services in multiple countries, including the United States Postal Service (USPS), as well as the financial and commercial sectors previously reported by Resecurity. 

Talos discovered references to specific phishing kits that are targeting toll systems in the DY Tongbu Telegram channel on “老王同步源码开发教学” translated to “Lao Wang Synchronized Source Code Development Tutorial.”  

The Telegram channel shared details about a phishing module that allegedly spoofs the Massachusetts MassDOT’s EZDriveMA toll system, as well as a phishing module that targets customers of the North Texas Toll Authority. At the time of publication, the Telegram channel had more than 4,400 subscribers. 

Further investigation has revealed that the developer, 王多余 (translated to Wang Duo Yu), has developed a similar smishing kit and operates the Lao Wang Synchronized Source Code Development Tutorial Telegram channel from two separate accounts. The pictures shown below display screenshots of the two telegram accounts related to Wang Duo Yu. 

Additionally, we noticed that the developer has created a YouTube channel where they upload tutorial videos. These videos cover topics such as “How to Build a PMTA Mail Server,” “Setting Up an Automatic EPUSD Payment and Vending System,” “Creating a Pagoda Panel Website (宝塔面板),” “Building the Simplest and Safest Node Using Native Tools,” and “Using the X-UI Panel to Set Up a VMess+WS+TLS+Web or VLess+WS+TLS+Web Node.”  Each video guides users on building basic web services or mail servers. 

There are also some private video links that cannot be found elsewhere. Talos found one such video on a Chinese forum. To access the post with the video link, users need special permissions in that forum. 

We also observed Wang Duo Yu promoting their smishing kits business and tutorials on other Telegram channels, also offering personal lessons that include full-stack development, mail server setup and Telegram bot development. The threat actor offers a two-hour lesson each day and provides one-on-one instruction via remote desktop, charging ¥5888 (converting to approx. US $806 at time of publication) per class. 

One of the Telegram channels shown in the above picture is called, “向前论坛,” translating to ” Xiangqian Forum,” of which Wang Duo Yu is a moderator. Wang Duo Yu posted articles in this forum to increase subscribers, promoted their own teaching courses, and provided links and discount codes for purchasing VPS and domains. 

We also found an additional website selling the VPS and cloud services, confirmed to be owned by Wang Duo Yu.  The “wangduoyu[.]vip” website was active from 2022 to 2023. 

We observed that Wang Duo Yu offers the toll smishing kit source code for sale and provides services to assist in setting up the whole system. In a forum post, they stated that anyone interested can reach out to their personal Telegram account “@wangduofish”. The post also includes hidden content only visible to users with VIP access. 

Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels. The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support. The threat actor also offers updated releases for multiple source code versions. The offers on the Telegram channel revealed that the smishing kits and source code primarily target large public-facing entities with a large end-userbase, such as toll road operators, banks and postal services. 

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Indicators of Compromise  

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

A former colleague of ours recently received a suspicious email notification from GetShared — a genuine service he was unfamiliar with. Being the paranoid cautious type that he is (he did work at Kaspersky, after all), he didn’t click the link but instead forwarded the notification straight to us. A closer look at the email message confirmed it was a scam. Indeed, our email security statistics suggest that GetShared has been gaining popularity with scammers. We explain how GetShared is used in attacks, why attackers use it, and how to stay safe.

What a GetShared attack looks like

The victim receives a normal, authentic email notification from GetShared informing them that someone has sent them a file. The message specifies the file name and extension. For example, in the attack targeting our ex-colleague’s employer, it was “DESIGN LOGO.rar”.

Sample scam email sent as a GetShared notification

The message that accompanies the link employs a classic phishing trick: scammers inquire about prices for items supposedly listed in the attachment. To add a veneer of legitimacy, they ask about delivery time and payment details.

Why malicious actors use GetShared and other third-party services

Security solutions filter out the vast majority of spam, phishing, scam emails, and malicious attachments at the email gateway level. A popular and effective tactic for scammers trying to bypass these defenses is to send emails through legitimate services like Google Calendar or Dropbox. These services, naturally, are uncomfortable being unwitting accomplices in cybercrimes, so they constantly improve their own countermeasures, tighten signup rules, and so on. Therefore, scammers keep looking for new services to exploit. GetShared — a free service for sending large files — turned out to be yet another exploitable tool.

Signs that something’s phishy

Let’s step back from this specific case and GetShared for a moment. Ask yourself: is it really normal practice to send a business inquiry as a note in some random third-party file-sharing service? Assuming a hypothetical client has a genuine business need to transmit a file — say, documents relating to an order — via an external service, they’d typically arrange it first through standard email correspondence before sending you a barrage of notifications. This is business etiquette 101.

When someone asks you to view a text document on a third-party service, there can only be three explanations:

• A security engine flags the document as spam, phishing, or scam.
• The document contains links to a scam, phishing, or malicious website.
• The document is infected, or the attachment is actually a malicious executable rather than a document.

In this particular instance, the service was used to distribute a text file containing a rather absurd request to get in touch with the malicious actors — they were trying to start a conversation to then develop the attack through social engineering.

Coming back to the email campaign we observed, this notification looks especially suspicious, primarily due to the glaring mismatch between the name of the file and the text accompanying it. The message hints at some list of goods, whereas the filename strongly suggests a design project.

Furthermore, take a close look at the sender’s address, which is stated clearly in the notification. A quick search for the domain name immediately reveals that this email address is likely used by scammers.

How to defend against such attacks

To protect your company from scam emails sent through GetShared or any other legitimate services, we recommend the following:

• Train your employees to recognize potential threats. Our Kaspersky Automated Security Awareness Platform can assist with this.
• Install robust security solutions on all corporate devices. This will, at the very least, prevent the execution of malicious code or deny access to phishing websites, should the victim download a file sent by the scammers.

Kaspersky official blog – ​Read More