• This blog explores how to equip autonomous AI agents with cybersecurity knowledge, enabling them to make informed decisions about internet safety, such as identifying trustworthy links and websites.
• It demonstrates a proof of concept using LangChain and OpenAI, integrated with the Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.
• By learning to assess the safety of domains, AI agents can develop better cyber hygiene, making more intelligent decisions rather than simply being restricted by security gateways, which is crucial for the next generation of autonomous AI systems.

---

In the late 1960s, the science fiction author Philip K. Dick wrote “Do Androids Dream of Electric Sheep,” which, among other themes, explored the traits that distinguish humans from autonomous robots. As advances in generative AI allow us to create autonomous agents that are able to reason and act on humans’ behalf, we must consider the human traits and knowledge that we must equip agentic AI with to allow them to act autonomously, reasonably, and safely. 

One skill we need to impart on our AI agents is the ability to stay safe when navigating the internet. If agentic AI systems are interacting with websites and APIs in the same way as a human internet user, they need to be aware that not all websites or public APIs are trustworthy, and nor is user supplied input. Therefore, we must empower our AI agents with the ability to make appropriate cyber hygiene decisions. In an agentic world, it is for the autonomous agent to decide if it is safe and appropriate to “click the link.” 

The threat landscape is constantly shifting, so there are no hard and fast rules that we can teach AI systems about what is a safe link and what is not. AI agents must verify the disposition of links in real time to determine if something is malicious. 

There are many emerging approaches to building AI workflow systems that can integrate multiple sources of information to allow an AI agent to come to a decision about an appropriate course of action. In this blog, I show how it is possible to use one of these frameworks, LangChain, with OpenAI to enable an AI agent to access real-time threat intelligence via the Cisco Umbrella API. 

Prerequisites 

To implement this example you will need API keys for Cisco Umbrella and a paid OpenAI account. 

1. Obtain a new API key from OpenAI account with available credit. The key will not work if you have a free, unfunded account. 
2. Obtain a Cisco Umbrella API Key and Secret by following these steps. Be sure the check the “Investigate” box for the Key Scope. 
3. Save your keys as shell environment variables named “OPENAI_API_KEY”, “UMBRELLA_KEY” and “UMBRELLA_SECRET” (e.g., export  UMBRELLA_KEY=”nnnnnnnnnnnnnnnnnn”).

Code 

Follow along with the full sample code, which can be found in Talos’ GitHub repository. 

First, we need to describe the tool to the AI agent.

Then we include the newly described tool in the list of available tools.

Next, we create the large language model (LLM) instance that we will use. This example uses GPT-3.5-Turbo from OpenAI, but other LLM models are supported.

Now, let’s give instructions to the LLM, describing what the LLM should do using natural language structured in a Question, Thought, Action, Observation format. 

Create the agent and the executor instance that we will interact with.

As part of querying the Umbrella API, we must obtain a session token to pass to the Umbrella API with our request. This is obtained from an authentication call using our API key and secret.

Next, let’s define the tool that we have described to the AI system. It accepts input text as a parameter and checks for the presence of any domains. If any are found, the disposition of each one is checked.

The key functionality within the above code is “getDomainDisposition” which passes the domain to the Umbrella API to retrieve the disposition and categorization information about the domain.

We can now pass input text to “agent_executor” to discover the agent’s opinion.

This gives the response:

“Agent Response: www.cisco.com is safe to browse.”

Reassuringly, the agent reports that “cisco.com” is safe to connect to. If necessary, we can output the domain disposition report to see the logic by which the system arrives at this conclusion:

“This contains a URL. Considering www.cisco.com. The domain www.cisco.com has a positive disposition. The domain www.cisco.com is classified as: Computers and Internet, Software/Technology. Known malicious domains are never safe, domains with positive disposition are usually safe. A domain with an unknown disposition might be safe if it is categorized.”

Let’s try a different domain which is known to be malicious.

“Agent Response: do not connect”

When provided with a known malicious domain, the system identifies that the domain has a negative disposition and concludes that this is not a domain which is safe for connection. 

Now let’s try input text with two domains.

“Agent Response: www.umbrella.com is safe to connect to. test.example.com has an unknown disposition, so it is uncertain if it is safe to connect to.”

The system is able to provide separate advice for each domain when supplied with input containing a domain with a positive disposition and one with an unknown disposition. 

Finally, let’s see what happens when we pose an unrelated question without any domains.

“Agent Response: no opinion” 

Examining the logic shows that the system made the correct decision not to attempt to answer the question. 

“No URLs found. Since no internet domains were found in the user input, I have no information to assess the safety of any websites.“

Discussion 

This is very much proof-of-concept code, but it does show how we can integrate APIs offering real-time authoritative facts, such as the security disposition of domains from Umbrella, into the decision making process of AI agents. 

There are other approaches that we can use to arrive at the same result. We could put the AI agent behind a web security gateway or require the agent to use Umbrella DNS, which would enforce the restriction not to connect to malicious sites. However, to do so removes the ability for the AI agent to learn how to make sense of potentially conflicting information and to make good decisions. 

The current generation of LLM-based generative AI systems is only the beginning of the forthcoming advances in autonomous agentic AI. As part of building this next generation of AI systems, we need to ensure that they not only make good decisions, but understand cyber hygiene and have access to real-time threat intelligence on which to base their decision-making. 

Cisco Talos Blog – ​Read More

The year is 2024. A team of scientists from both the University of California San Diego and the University of Maryland, College Park, discovers an unimaginable danger looming over the world — its source hiding in space. They start sounding the alarm, but most people simply ignore them…

No, this isn’t the plot of the Netflix hit movie Don’t Look Up. This is the sudden reality in which we find ourselves following the publication of a study confirming that corporate VoIP conversations, military operation data, Mexican police records, private text messages and calls from mobile subscribers in both the U.S. and Mexico, and dozens of other types of confidential data are being broadcast unencrypted via satellites for thousands of miles. And to intercept it, all you need is equipment costing less than US$800: a simple satellite-TV receiver kit.

Today, we explore what might have caused this negligence, if it’s truly as easy to extract the data from the stream as described in a Wired article, why some data operators ignored the study and took no action, and, finally, what we can do to ensure our own data doesn’t end up on these vulnerable channels.

What happened?

Six researchers set up a standard geostationary satellite-TV antenna — the kind you can buy from any satellite provider or electronics store — on the university roof in the coastal La Jolla area of San Diego, Southern California. The researchers’ no-frills rig set them back a total of US$750: $185 for the satellite dish and receiver, $140 for the mounting hardware, $195 for the motorized actuator to rotate the antenna, and $230 for a TBS5927 USB-enabled TV tuner. It’s worth noting that in many other parts of the world, this entire kit likely would have cost them much less.

What distinguished this kit from the typical satellite-TV antenna likely installed outside your own window or on your roof was the motorized dish actuator. This mechanism allowed them to reposition the antenna to receive signals from various satellites within their line of sight. Geostationary satellites, used for television and communications, orbit above the equator and move at the same angular velocity as the Earth. This ensures they remain stationary relative to the Earth’s surface. Normally, once you point your antenna at your chosen communication satellite, you don’t need to move it again. However, the motorized drive allowed the researchers to quickly redirect the antenna from one satellite to another.

Every geostationary satellite is equipped with numerous data transponders used by a variety of telecom operators. From their vantage point, the scientists managed to capture signals from 411 transponders across 39 geostationary satellites, successfully obtaining IP traffic from 14.3% of all Ku-band transponders worldwide.

The team first developed a proprietary method for precise antenna self-alignment, which significantly improved signal quality. Between August 16 and August 23, 2024, they performed an initial scan of all 39 visible satellites. They recorded signals lasting three to ten minutes from every accessible transponder. After compiling this initial data set, the scientists continued with periodic selective satellite scans and lengthy, targeted recordings from specific satellites for deeper analysis — ultimately collecting a total of more than 3.7TB of raw data.

The researchers wrote code to parse data transfer protocols and reconstruct network packets from the raw captures of satellite transmissions. Month after month, they meticulously analyzed the intercepted traffic, growing increasingly concerned with each passing day. They found that half (!) of the confidential traffic broadcast from these satellites was completely unencrypted. Considering that there are thousands of transponders in geostationary orbit, and the signal from each one can, under favorable conditions, be received across an area covering up to 40% of the Earth’s surface, this story is genuinely alarming.

What data was broadcast with open access?

The geostationary satellites were found to be broadcasting an immense and varied amount of highly sensitive data completely unencrypted. The intercepted traffic included:

• Calls, SMS messages, and internet traffic from end-users; equipment identifiers and cellular encryption keys belonging to various operators, including T-Mobile and AT&T Mexico
• Internet data for users of in-flight Wi-Fi systems installed on commercial passenger aircraft
• Voice traffic from several major VoIP providers, including KPU Telecommunications, Telmex, and WiBo
• Government, law enforcement and military traffic: data originating from U.S. military ships; real-time geolocation and telemetry data from Mexican Armed Forces air, sea and ground assets; and information from Mexican law enforcement agencies — including data on drug trafficking operations and public assemblies
• Corporate data: internal traffic from major financial organizations and banks like Grupo Santander Mexico, Banjército, and Banorte
• Internal traffic from Walmart-Mexico, including details on warehouse inventory and price updates
• Messages from key U.S. and Mexican infrastructure facilities like oil and gas rigs and electricity providers

While most of this data seems to have been left unencrypted due to sheer negligence or a desire to cut costs (which we’ll discuss later), the presence of cellular data in the satellite network has a slightly more intriguing origin. This issue stems from what is known as backhaul traffic — used to connect remote cell towers. Many towers located in hard-to-reach areas communicate with the main cellular network via satellites: the tower beams a signal up to the satellite, and the satellite relays it back to the tower. Crucially, the unencrypted traffic the researchers intercepted was the data being transmitted from the satellite back down to the remote cell tower. This provided them access to things like SMS messages and portions of voice traffic flowing through that link.

Data operators’ response to the researchers’ messages

It’s time for our second reference to the modern classic by Adam McKay. The movie Don’t Look Up is a satirical commentary on our reality — where even an impending comet collision and total annihilation cannot convince people to take the situation seriously. Unfortunately, the reaction of critical infrastructure operators to the scientists’ warnings proved to be strikingly similar to the movie plot.

Starting in December 2024, the researchers began notifying the companies whose unencrypted traffic they’d successfully intercepted and identified. To gauge the effectiveness of these warnings, the team conducted a follow-up scan of the satellites in February 2025 and compared the results. They found that far from all operators took any action to fix the issues. Therefore, after waiting nearly a year, the scientists decided to publicly release their study in October 2025 — detailing both the interception procedure and the operators’ disappointing response.

The researchers stated that they were only publishing information about the affected systems after the problem had been fixed or after the standard 90-day waiting period for disclosure had expired. For some systems, an information disclosure embargo was still in effect at the time of the study’s publication, so the scientists plan to update their materials as clearance allows.

Among those who failed to address the notifications were: the operators of unnamed critical infrastructure facilities, the U.S. Armed Forces, Mexican military and law enforcement agencies, as well as Banorte, Telmex, and Banjército.

When questioned by Wired about the incident, in-flight Wi-Fi providers responded vaguely. A spokesperson for Panasonic Avionics Corporation said the company welcomed the findings by the researchers, but claimed they’d found that several statements attributed to them were either inaccurate or misrepresented the company’s position. The spokesperson didn’t specify what exactly it was that the company considered inaccurate. “Our satellite communications systems are designed so that every user-data session follows established security protocols,” the spokesperson said. Meanwhile, a spokesperson for SES (the parent company of Intelsat) completely shifted responsibility onto the users, saying, “Generally, our users choose the encryption that they apply to their communications to suit their specific application or need,” effectively equating using in-flight Wi-Fi with connecting to a public hotspot in a café or hotel.

Fortunately, there were also many appropriate responses, primarily within the telecommunications sector. T-Mobile encrypted its traffic within just a few weeks of being notified by the researchers. AT&T Mexico also reacted immediately, fixing the vulnerability and stating it was caused by a misconfiguration of some towers by a satellite provider in Mexico. Walmart-Mexico, Grupo Santander Mexico, and KPU Telecommunications all approached the security issue diligently and conscientiously.

Why was the data unencrypted?

According to the researchers, data operators have a variety of reasons — ranging from technical to financial — for avoiding encryption.

• Utilizing encryption can lead to a 20–30% loss in transponder bandwidth capacity.
• Encryption requires increased power consumption, which is critical for remote terminals, such as those running on solar batteries.
• For certain types of traffic, such as VoIP for emergency services, the lack of encryption is a deliberate measure taken to increase fault tolerance and reliability in critical situations.
• Network providers claimed that enabling encryption made it impossible to troubleshoot certain existing network problems within their current infrastructure. The providers did not elaborate on the specifics of that claim.
• Enabling link-layer encryption may require additional licensing fees for using cryptography in terminals and hubs.

Why did some vendors and agencies fail to react?

It’s highly likely they simply did not know how to respond. It’s difficult to believe that such a massive vulnerability could remain unnoticed for decades, so it’s possible the problem was intentionally left unaddressed. The researchers note that no single, unified entity is responsible for overseeing data encryption on geostationary satellites. Each time they discovered confidential information in their intercepted data, they had to expend considerable effort to identify the responsible party, establish contact, and disclose the vulnerability.

Some experts are comparing the media impact of this research to the declassified Snowden archives, given that the interception techniques used could be deployed for worldwide traffic monitoring. We can also liken this case to the infamous Jeep hack, which completely upended cybersecurity standards in the automotive industry.

We cannot exclude the possibility that this entire issue stems from simple negligence and wishful thinking — a reliance on the assumption that no one would ever “look up”. Data operators may have treated satellite communication as a trusted, internal network link where encryption was simply not a mandatory standard.

What can we as users do?

For regular users, the recommendations are similar to those we give for using any unsecured public Wi-Fi access point. Unfortunately, while we can encrypt the internet traffic originating from our devices ourselves, the same cannot be done for cellular voice data and SMS messages.

• For any confidential online operations, enable a reliable VPN that includes a kill switch. This ensures that if the VPN connection drops, all your traffic is immediately blocked rather than being routed unencrypted. Use your VPN when making VoIP calls, and especially when using in-flight Wi-Fi or other public access points. If you lean toward the paranoid side, leave your VPN on at all times. An effective and fast solution for your needs could be Kaspersky VPN Secure Connection.
• Utilize 5G networks whenever possible, as they feature higher encryption standards. However, even these can be insecure, so avoid discussing sensitive information via text or standard cellular voice calls.
• Use messaging apps that provide end-to-end encryption for traffic on user devices, such as Signal, WhatsApp, or Threema.
• If you’re using a cellular service in remote locations, minimize SMS chats and voice calls, or use services from operators that integrate encryption at the subscriber equipment level.

What else you need to know about telecommunication security:

• Attacks on 5G networks: the arms race continues
• How to protect yourself from SMS blaster scams
• Chatting offline: an overview of mesh messaging apps
• Messengers 101: safety and privacy advice
• What makes a messaging app secure?

Kaspersky official blog – ​Read More

ANY.RUN’s malware analysis and threat intelligence products are used by 15K SOCs and 500K analysts. Thanks to flexible API/SDK and read-made connectors, they seamlessly integrate with security teams’ existing software to expand threat coverage, reduce MTTR, and streamline performance. 

Here’s how ANY.RUN’s solutions can transform your security. 

Interactive Sandbox: Detect Evasive Phishing & Malware 

ANY.RUN’s Interactive Sandbox provides a real-time, cloud-based environment for detonating and analyzing suspicious files, URLs, and scripts across Windows, Linux, and Android systems. It lets analysts perform user actions like launching executables or opening links needed to trigger kill chains and force hidden payloads to reveal themselves, enabling faster detection and response.  

The sandbox integrates with other solutions like SOAR platforms in an automated mode, which means it can fully detonate complex phishing and malware attacks on its own, including by solving CAPTCHAs and scanning QR codes. 

The sandbox delivers immediate, actionable insights into the most evasive threats without risking production systems. 

• Real-Time Threat Visibility: Observe attack chains as they unfold, with 90% of threats detected within 60 seconds, accelerating mean time to detect (MTTD). 

• Higher Detection Rates: Uncover low-detection attacks (e.g., multi-stage malware, CAPTCHA-protected phishing) with up to 58% more threats identified, reducing missed incidents. 

• Automated Efficiency: Cut manual analysis time with automated interactivity, reducing Tier 1 workload by 20% and enabling junior analysts to handle complex cases independently. 

Connectors and integrations for Interactive Sandbox 

If your solution is not on the list, you can easily set up a custom integration using ANY.RUN’s API or Python-based SDK (see docs on GitHub or PyPi). 

Threat Intelligence Feeds: Expand Threat Coverage 

Threat Intelligence Feeds deliver real-time, high-confidence malicious indicators (IPs, domains, URLs) supplied in STIX/TAXII. The indicators are sourced from analyses of the latest malware and phishing attacks performed by 15,000 organizations and 500,000 analysts in ANY.RUN’s Interactive Sandbox.  

Thanks to being powered by one of the largest malware analysis communities, these feeds provide 99% unique IOCs, not found in other sources, that are updated in real time. 

As a result, they give SOCs up-to-date visibility into threats almost as soon as they emerge. With TI Feeds, security teams can: 

• Catch new attacks early: Live intel is streamed soon after the sandbox detection. 

• Respond faster: IOCs come with sandbox reports with full context.  

• Reduce workload: Filtering ensures only high-risk indicators are added. 

Connectors and integrations for TI Feeds 

If your solution is not on the list, you can easily set up a custom integration using ANY.RUN’s API or Python-based SDK (see docs on GitHub or PyPi). 

Threat Intelligence Lookup: Contextualize Alerts 

Threat Intelligence Lookup is a powerful solution designed to streamline and accelerate malware investigations, from proactive monitoring to incident response.  

SOC teams can use it to quickly get actionable context for over 40 different types of Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs), from an IP address and a domain to a mutex and a process name.  

Each indicator in TI Lookup’s database is linked to a sandbox session, where it was observed, providing analysts with a complete view of the attack, including its TTPs. 

• Triage alerts faster: Two-second access to millions of past analyses confirms if an IOC belongs to a threat, cutting triage time. 

• Shorten response time: Indicator enrichment with behavioral context and TTPs guide precise containment strategies. 

• Reduce unnecessary escalations: Provides Tier 1 analysts with the info to make decisions independently, reducing escalations to Tier 2. 

Connectors and integrations for TI Lookup 

If your solution is not on the list, you can easily set up a custom integration using ANY.RUN’s API or Python-based SDK (see docs on GitHub or PyPi). 

Integrate ANY.RUN’s Solutions in Your SOC 

Whether you want to uncover hidden threats in seconds, catch emerging attacks, or enrich alerts with actionable context, ANY.RUN equips your SOC with the visibility, speed, and efficiency needed to stay ahead.  

With flexible API/SDK and ready-made connectors for leading platforms, implementation is smooth, and the impact is immediate: faster MTTR, higher detection rates, and a stronger defense posture. 

Feel free to reach out to us about integrating ANY.RUN’s products in your SOC at support@any.run.  

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.    

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.    

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.    

Ready to see the difference?   

Start your 14-day trial of ANY.RUN today →        

The post Unified Security for Fast Response: All ANY.RUN Integrations for SIEM, SOAR, EDR, and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

October brought another strong round of updates to ANY.RUN, from a new ThreatQ integration that connects our real-time Threat Intelligence Feeds directly into one of the industry’s leading TIPs, to hundreds of new signatures and rules that sharpen network and behavioral detection. 

With 125 new behavior signatures, 17 YARA rules, and 3,264 Suricata rules, analysts can now spot emerging threats faster and with greater precision. Together with the ThreatQ connector, these improvements make it easier for SOCs and MSSPs to enrich alerts, automate response, and gain deeper visibility into live attack activity. 

Product Updates 

Expanding Threat Intelligence Reach: ANY.RUN & ThreatQ 

October brought another major milestone to ANY.RUN’s growing ecosystem; a new integration that links ANY.RUN’s Threat Intelligence Feeds directly with ThreatQ, one of the industry’s leading Threat Intelligence Platforms (TIPs). 

This integration helps SOC teams and MSSPs gain real-time visibility into active global threats, cut investigation time, and strengthen detection accuracy across phishing, malware, and network attack surfaces. 

Now, analysts using ThreatQ can automatically ingest fresh, high-confidence IOCs gathered from live sandbox investigations of malware samples detonated by 15,000+ organizations and 500,000+ analysts worldwide. 

How this update helps security teams: 

• Early detection: Indicators are streamed into ThreatQ the moment they appear in ANY.RUN sandbox sessions, helping teams spot threats before they hit endpoints or networks. 

• Expanded coverage: Up to 99% unique IOCs from recent phishing and malware attacks provide visibility beyond traditional feeds. 

• Faster, smarter response: Each IOC includes a link to its sandbox analysis, giving full behavioral context for rapid validation and containment. 

• Lower analyst workload: Feeds are filtered to include only verified malicious indicators, cutting false positives and Tier-1 triage time. 

Simple Setup, Instant Impact 

The connector works through the STIX/TAXII protocol, ensuring full compatibility with existing ThreatQ environments. Security teams can configure feeds to update hourly, daily, or on a custom schedule; no custom development or infrastructure changes required. 

For detailed information, see ANY.RUN’s TAXII connection documentation. 

Threat Coverage Update 

In October, our team continued to strengthen detection capabilities so SOCs can stay ahead of new and evolving threats: 

• 125 new behavior signatures were added to improve coverage across ransomware, loaders, stealers, and RATs, helping analysts detect persistence and payload activity earlier in the attack chain. 

• 17 new YARA rules went live in production, expanding visibility into credential-dumping tools, network scanners, and new loader families. 

• 3,264 new Suricata rules were deployed, enhancing detection for phishing, APT infrastructure, and evasive network behaviors. 

These updates enable analysts to gain faster, more confident verdicts in the sandbox and enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs. 

New Behavior Signatures 

This month’s updates focus on helping analysts catch stealthy activity earlier in the attack chain. The new behavior signatures detect payload downloads, privilege escalation attempts, and persistence mechanisms used by modern ransomware, stealers, and loaders. 

We also expanded coverage of mutex detections and legitimate administrative tools often abused by attackers. Together, these improvements provide clearer visibility into real-world execution flow and strengthen automated classification in the sandbox. 

Highlighted families and techniques include: 

• Jaff 

• Crypvault 

• Aptlock 

• XtBl 

• Ouroboros 

• Nefilim 

• DarkCloud 

• Xworm 

• Snake 

• Cryptowall 

• Phoenix 

• Lazarus 

• Supershell 

• Starfish 

• Valkyrie 

• Pranova 

• Spartacus 

• Velox 

• Lockify 

New YARA Rules 

In October, we added 17 new YARA rules focused on detecting emerging malware families, credential-dumping utilities, and reconnaissance tools increasingly used in modern attack chains. 

These additions strengthen both automated detection and manual hunting, helping analysts identify threats that blend malicious code with legitimate administrative software. 

Several new rules were built directly from live samples analyzed in the sandbox, capturing real payloads, shellcode fragments, and memory artifacts tied to loaders, stealers, and botnets. This ensures faster and more reliable classification when scanning new samples or correlating incidents across environments. 

Highlighted YARA rules include: 

• Maverick: Detection for a recently active loader family observed in targeted phishing campaigns. 

• ChaosBot: Identifies obfuscated botnet samples distributing info-stealers via Discord channels. 

• Hexa: Flags packed binaries linked to a new modular backdoor variant. 

• Pmdump: Detects credential-dumping activity using memory process extraction tools. 

• Task Manager DeLuxe: Identifies legitimate system tools often repurposed for lateral movement. 

• Network Scanner: Flags reconnaissance utilities used to map internal networks. 

• Yapm: Detects process-management tools frequently abused for privilege escalation. 

• TaskExplorer: Expands visibility into post-exploitation tool use. 

• Ophcrack: Detection of password-recovery tools commonly found in attacker toolkits. 

New Suricata Rules 

This month, the detection team delivered 3,264 new Suricata rules to improve coverage of phishing activity, APT operations, and evasive web-based malware behavior. 

These updates expand network visibility for SOCs and MSSPs, helping analysts detect malicious traffic even when it hides behind trusted services or multi-stage redirects. 

Highlighted additions include: 

• Tycoon 2FA Domain Chain (sid:85004273, 85004828, 85005024): New heuristic rules based on set of web-resources loaded in specific order by Tycoon client-side code 

• Patchwork APT Payload Retrieval via HTTP (sid:85004317): Detects HTTP requests for payload used by Patchwork APT 

• Microsoft 365 themed Phishing Attempt (sid:85004831): Identifies mismatch of MS365 authorization URL chain being used on fake websites 

About ANY.RUN 

ANY.RUN supports more than 15,000 organizations worldwide across industries such as banking, manufacturing, telecom, healthcare, and technology, helping them build faster, smarter, and more resilient cybersecurity operations. 

Our cloud-based interactive sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in real time. Analysts can observe every system and network action, interact with running samples, and extract IOCs in under 40 seconds; all without complex infrastructure setup. 

Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, ANY.RUN helps SOCs accelerate investigations, reduce noise, and improve detection accuracy. Teams can easily integrate these capabilities into SIEM and SOAR systems to automate enrichment and streamline response. 

Ready to see it in action? 
Start your 14-day trial of ANY.RUN 

The post Release Notes: ANY.RUN & ThreatQ Integration, 3,000+ New Rules, and Expanded Detection Coverage  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More