Unknown malefactors are actively attacking companies that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. By exploiting a chain of two vulnerabilities – CVE-2025-53770 (CVSS rating – 9.8) and CVE-2025-53771 (CVSS rating – 6.3), attackers are able to execute malicious code on the server remotely. The severity of the situation is highlighted by the fact that patches for the vulnerabilities were released by Microsoft late Sunday night. To protect the infrastructure, researchers recommend installing the updates as soon as possible.

The attack via CVE-2025-53770 and CVE-2025-53771

Exploitation of this pair of vulnerabilities allows unauthenticated attackers to take control of SharePoint servers, and therefore not only gain access to all the information stored on them, but also use the servers to spread their attack on the rest of the infrastructure.

Researchers at EYE Security state that even before the Microsoft bulletins were published, they had seen two waves of attacks using this vulnerability chain, resulting in dozens of servers being compromised. Attackers install web shells on vulnerable SharePoint servers and steal cryptographic keys that can later allow them to impersonate legitimate services or users. This way they can to gain access to compromised servers even after the vulnerability has been patched and the malware destroyed.

Relationship to CVE-2025-49704 and CVE-2025-49706 vulnerabilities (ToolShell chain)

Researchers noticed that the exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerability chain is very similar to the ToolShell chain of two other vulnerabilities, CVE-2025-49704 and CVE-2025-49706, demonstrated in May, as part of the Pwn2Own hacking competition in Berlin. Those two were patched by previously released updates, but apparently not perfectly.

By all indications, the new pair of vulnerabilities is an updated ToolShell chain, or rather a bypass of the patches that fix it. This is confirmed by Microsoft’s remarks in the description of the new vulnerabilities: “Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

How to stay safe?

The first thing to do is install the patches, and before rolling out the emergency updates released yesterday, you should install the regular July KB5002741 and KB5002744. At the time of writing this post, there were no patches for SharePoint 2016, so if you’re still using this version of the server, you’ll have to rely on compensating measures.

You should also make sure that robust protective solutions are installed on the servers and that the Antimalware Scan Interface (AMSI), which helps Microsoft applications and services to interact with running cybersecurity products, is enabled.

Researchers recommend replacing machine keys in ASP.NET on vulnerable SharePoint servers (you can read how to do this in Microsoft’s recommendations), as well as other cryptographic keys and credentials that may have been accessed from the vulnerable server.

If you have reason to suspect that your SharePoint servers have been attacked, it is recommended that you check them for indicators of compromise, primarily the presence of the malicious spinstall0.aspx file.

If your internal incident response team lacks the in-house resources to identify indicators of compromise or remediate the incident, we advise you to contact third-party experts.

Kaspersky official blog – ​Read More

We’ve been seeing attempts at using spear-phishing tricks on a mass scale for quite a while now. These efforts are typically limited to slightly better than usual email styling that mimics a specific company, faking a corporate sender via ghost spoofing, and personalizing the message, which, at best, means addressing the victim by name. However, in March of this year, we began noticing a particularly intriguing campaign in which not only the email body but also the attached document was personalized. The scheme itself was also a bit unusual: it tried to trick victims into entering their corporate email credentials under the pretense of HR policy changes.

A fake request to review new HR guidelines

Here’s how it works. The victim receives an email, seemingly from HR, addressing them by name. The email informs them of changes to HR policy regarding remote work protocols, available benefits, and security standards. Naturally, any employee would be interested in these kinds of changes, so their cursor naturally drifts toward the attached document, which, incidentally, also features the recipient’s name in its title. What’s more, the email has a convincing banner stating that the sender is verified and the message came from a safe-sender list. As experience shows, this is precisely the kind of email that deserves extra scrutiny.

A phishing email message designed to lure victims with fake HR policy updates

For starters, the entire email content — including the reassuring green banner and the personalized greeting — is an image. You can easily check this by trying to highlight any part of the text with your mouse. A legitimate sender would never send an email this way; it’s simply impractical. Imagine an HR department having to save and send individual images to every single employee for such a widespread announcement! The only reason to embed text as an image is to bypass email antispam or antiphishing filters.

There are other, more subtle clues in the email that can give away the attackers. For example, the name and even the format of the attached document don’t match what’s mentioned in the email body. But compared to the “picturesque” email, these are minor details.

An attachment that imitates HR guidelines

Of course, the attached document doesn’t contain any actual HR guidelines. What you’ll find is a title page with a small company logo and a prominent “Employee Handbook” header. It also includes a table of contents with items highlighted in red as if to indicate changes, followed by a page with a QR code (as if to access the full document). Finally, there’s a very basic instruction on how to scan QR codes with your phone. The code, of course, leads to a page where the user is asked to enter corporate credentials, which is what the authors of the scheme are after.

The scammers’ document used as a lure

The document is peppered with phrases designed to convince the victim it’s specifically for them. Even their name is mentioned twice: once in the greeting and again in the line “This letter is intended for…” that precedes the instruction. Oh, and yes, the file name also includes their name. But the first question this document should raise is: what’s the point?

Realistically, all this information could have been presented directly in the email without creating a personalized, four-page file. Why would an HR employee go to such lengths and create these seemingly pointless documents for each employee? Honestly, we initially doubted that scammers would bother with such an elaborate setup. But our tools confirm that all the phishing emails in this campaign indeed contain different attachments, each unique to the recipient’s name. We’re likely seeing the work of a new automated mailing mechanism that generates a document and an email image for each recipient… or perhaps just some extremely dedicated phishers.

How to stay safe

A specialized security solution can block most phishing email messages at the corporate mail server. In addition, all devices used by company employees for work, including mobile phones, should also be protected.

We also recommend educating employees about modern scam tactics — for example, by sharing resources from our blog — and continually raising their overall cybersecurity awareness. This can be achieved through platforms like Kaspersky Automated Security Awareness.

Kaspersky official blog – ​Read More

Wi-Fi can be used to track people’s (and pets’) movements in the home — from the tiniest gestures, such as hand waves. This application of Wi-Fi is nothing new in theory, but only recently has it been put on a commercial footing. The technology is now being offered by home internet providers and equipment vendors. It may even be incorporated in the new Wi-Fi standard, so it’s important to understand the associated pros and cons. Let’s see how the technology works, whether it poses any privacy risks, and how to disable it if necessary.

How Wi-Fi sensing works

Wi-Fi sensing came about as a side effect of the quest to speed up Wi-Fi. Modern routers have the ability to focus the signal on devices they exchange data with, making the connection faster and more reliable. Known as Wi-Fi beamforming, this technique involves the router measuring the radio signal with sufficient accuracy to determine not only its strength but also its propagation in space. Based on these parameters, the router beams the signal in the direction of the device, and uses channel state information (CSI) to continuously monitor and adjust the communication link.

During the data exchange, if interference of some kind appears between the device and the router, say, a person or a dog passes by, the shape of the radio signal will change slightly. The router is sensitive enough to detect this, effectively making it a motion sensor.

Then there’s just the small matter of developing mathematical algorithms that can detect movement in the home based on changes in CSI, and implementing them in the router firmware. And to receive analytics and signals about motion events, the router communicates with a mobile app on the user’s smartphone, for which a proprietary cloud service is used. Smart doorbells or video baby monitors work in exactly the same way.

Wi-Fi sensing requirements and limitations

There are some important technical nuances that must be considered for Wi-Fi sensing to do its job:

• The router itself must have multiple antennas and be at least Wi-Fi 5 (802.11ac) compatible.
• In the home there must be stationary or rarely moved devices (usually one to three) connected to this router via Wi-Fi — for example, a printer, a smart speaker and/or a smart TV. Sometimes Wi-Fi extenders and mesh Wi-Fi devices can perform the role of a “sensor”.
• Motion detection will occur only in the oval zone between the router and the “sensor”, and post-setup testing is required.
• When motion is detected, it’s not possible to determine what moved or where exactly it took place between the router and the “sensor”. In this respect, the technology is not unlike the infrared motion sensors of conventional security systems. However, with advances in computing power and machine learning, this limitation may disappear — witness a new study in which researchers harnessed Wi-Fi for human pose estimation.

Wi-Fi sensing can be used to detect motion in the oval zone between the router and a stationary device connected to the router via Wi-Fi

The past, present and future of Wi-Fi sensing

The first known commercial application of Wi-Fi sensing technology was the Aware feature in Linksys routers. Back in 2019, Linksys positioned Aware as a subscription-based feature. But in mid-2024, the service was discontinued, and now, according to the vendor itself, Linksys routers have no proprietary application and don’t collect data.

However, since 2025, the feature has been available to customers of Xfinity — Comcast’s home internet brand. It’s called Wi-Fi Motion. Deutsche Telekom has also announced such a feature, but not yet named it. In any case, Wi-Fi sensing will likely cease to be a rarity in the coming years: work has been underway since 2020 to standardize the feature under the technical name 802.11bf. Once motion recognition enters the 802.11 family of standards, almost all vendors will support it.

The pros and cons of Wi-Fi sensing

If the service is provided for free, some will jump at the chance of getting a home security system without having to buy additional hardware. At the very least, it will appeal to home owners who want to keep their property under surveillance for a short period of time — for example, when away on vacation. But bear in mind that Wi-Fi sensing is no replacement for a full-fledged security system, and you need an action plan in place should the alarm go off. Note also that the oval zone between your printer or smart TV and router is by no means the only area that thieves can penetrate, so you need to secure other parts of your home too.

Another relatively harmless use of Wi-Fi sensing is monitoring routine activity in the home: whether the kids are back from school, whether grandma is okay, etc.

Wi-Fi sensing also has potential in the home automation niche; for example, motion tracking can be used to turn the lights on and, after a set period of inactivity, off again.

The potential harm from the technology lies in the fact that not only owners can track movements in their homes. Xfinity documentation already states that motion event data may be transferred to the police and other “third parties” in legal proceedings. And if the provider collects and stores data from motion sensors, it’s a short step to selling this data to advertisers.

Another potential threat is router hacking. Hackers already break into home routers to spy on users or make money in various ways. Another monetization route for malicious actors is to analyze motion-in-the-home data and sell this information on to burglars.

How to guard against Wi-Fi sensing abuse

So far, the feature is available only on a few router models leased out by certain internet providers. And in Xfinity devices, it’s disabled by default.

If you’re one of those who decide that the benefits outweigh the risks, you’ll need to activate the feature yourself, set up and test it, and also make sure that the router is configured according to our smart-home protection tips. To recap them in brief: the Wi-Fi network and the router control panel must be protected by unique, strong passwords, and all computers and smartphones must have a full-fledged security solution installed that delivers smart-home security analysis (vulnerability search in the home Wi-Fi network, and notifications about attempts to connect new devices to it).

But what if you don’t want anything to do with Wi-Fi sensing? As the number of compatible devices increases and the risk of forced activation rises, your first line of defense against Wi-Fi sensing will be to buy your own router instead of leasing one from a provider. You can then set up the router yourself and disable unnecessary features; just be sure to choose a model that allows control without mobile apps and doesn’t require connection to the vendor’s cloud service. After buying a router, remember to apply our home network setup tips.

A more complex method is to connect all stationary devices to a computer network using an Ethernet cable. For printers, TVs and game consoles, this is not only safe, but also provides the fastest and most stable connection.

What other hidden risks and opportunities does Wi-Fi technology harbor? Essential reading:

• Other people’s smartphones are spying on your router. How to stop it
• Fake Wi-Fi on board a flight
• Wi-Fi hacking using PMKID interception
• Disposing of a gadget? Remember to wipe this
• How to find a person and recognize their pose using Wi-Fi

Kaspersky official blog – ​Read More

• In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. 
• The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.  
• Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities. 
• The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.

In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.  

During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.

Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.

MaaS operation leverages GitHub public repositories 

MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign. 

This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey. 

Emmenhtal and Amadey 

The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.  

Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.  

Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader. 

Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat. 

GitHub as an open directory 

During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins: 

• Legendary99999 
• DFfe9ewf 
• Milidmdds 

In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic. 

Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.

Legendary999999 

“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:

The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:

https://github.com/[account_name]/[repository_name]/releases/download/[release_name]/[file_name]

Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above. 

Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.

DFfe9ewf

“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.

While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.

“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.

The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim’s machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data. 

While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.

Milidmdds

The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.

Emmenhtal similarities between activity clusters 

Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called: 

• Work.js 
• Workhmv.js 
• Putikatest.js 

Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity. 

The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below. 

The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.

Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:

The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).

The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including: 

• Amadey 
• A legitimate copy of PuTTY.exe 
• AsyncRAT 

The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.

Examples of the final decrypted PowerShell downloader are shown below.

Related Emmenhtal variants 

MP4 file variants 

During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane[.]com: 

• pivqmane[.]com/testonload[.]mp4/ 
• pivqmane[.]com/doc/fb[.]mp4 

Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.

Purpose-built variant: “Checkbalance.py” 

Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign. 

In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.

The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.

The final PowerShell command downloads the Amadey payload from the IP address “185[.]215[.]113[.]16” as a file labeled “amnew.exe”.  The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository. 

After execution, this payload contacts “hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php”, a known Amadey C2 address.

Coverage  

Ways our customers can detect and block this threat are listed below.  

Indicators of compromise (IOCs) 

IOCs for this threat can be found on our GitHub repository here. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Cisco Talos Blog – ​Read More

Streamlining your SOC workflows with fresh intelligence is now easier than ever: ANY.RUN introduces free access to Threat Intelligence Lookup. 

With it, you can enrich your threat investigations with data on attacks targeting 15,000 companies all over the world. All you need to do to strengthen your defense against them is to register, browse our unique database, and gain actionable insights.  

Threat Intelligence in ANY.RUN continues to evolve — not only by adding more features, but by making the right ones easier to use. We’ve simplified access to ANY.RUN Threat Intelligence with a free version of TI Lookup.  

You now can explore Public Samples, TTPs, Suricata rules, and malware trends inside our Threat Intelligence product in a cleaner, faster way. 

It’s about putting existing value in the right place, for the right audience. For analysts and teams starting with ANY.RUN in a Threat Intelligence context, this is a much better entry point. 

It’s a step to help you do less — so you can focus on more. 

Aleksey Lapshin, ANY.RUN CEO 

TI Lookup—Essential Solution for SOC Teams

TI Lookup is ANY.RUN’s key solution for working with threat intelligence. It simplifies and accelerates different stages of malware investigations, from proactive monitoring to gaining insights for incident response. As a result, you get to ensure a better defense against cyber threats for your company. 

In practice, this means that TI Lookup provides you with Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs). It not only links each indicator to an attack or sample but also showcases its behavior inside the sandbox. 

The source of indicators is unique: all data comes from millions of public malware analysis sessions done in ANY.RUN’s Interactive Sandbox. TI Lookup allows you to tap into it to gain invaluable insights into real threats targeting 15,000 companies in finance, manufacturing, transportation, government, and other industries right now.

Unlike other solutions relying on public reports or databases published days or weeks after an incident, TI Lookup provides fresh, actionable data available to you hours or even minutes after the attack happened. 

And now you get to access the benefit of our service at no cost. See how even its free version with limited functionality can become a game-changer for your security operations.  

Results You Can Achieve Using Free Plan  

Essential features of TI Lookup are available at no cost. With the free plan, you can view up to 20 recent sandbox sessions per query, conduct unlimited searches using basic search fields (file hashes, URLs, domains, IPs, MITRE ATT&CK techniques, Suricata IDs, etc.) and an operator for combination search (AND). 

With free access to TI Lookup, you can gain a powerful solution to common challenges of SOC teams: 

• Enrich threat investigations: Get extensive threat context by linking existing artifacts to actual attacks. 

• Reduce response time (MTTR): Explore identified threats’ behavior, purpose, and targets through sandbox analyses for fast, informed security decisions.  

• Strengthen proactive defense: Collect data on emerging threats to act before they cause harm. 

• Grow expertise of your team: Let your SOC specialists explore real-world attacks and see examples of TTPs in actual malware via the interactive MITRE ATT&CK matrix.   

• Develop SIEM, IDS/IPS, or EDR rules: Intelligence collected via TI Lookup can be used to improve proactive defense of your business. 

All you need to do to get started is to sign up for ANY.RUN or sign in your account. 

TI Lookup’s Free Plan: Real-World Use Cases  

See how TI Lookup can give you a hand in solving common SOC challenges in a couple of examples. They involve threats active today and demonstrate how ANY.RUN’s solution will speed up and simplify their breakdown. 

Fast Triage and Data-Fueled Response 

If you receive an alert related to a suspicious domain, you can check it in TI Lookup to get the verdict in seconds. E.g., enter this simple query: 

domainName:”smtp.godforeu.com” 

And almost instantly you’ll see the verdict—it is indeed malicious.  

This info is enough to escalate the incident, but that’s not all TI Lookup is capable of. Take a look at the tags in analysis sessions that involve the domain in question. From them, you can also determine the name of the threat it’s related to—Agent Tesla. 

And by clicking any of the sessions, you’ll be transferred to ANY.RUN sandbox for further investigation. You can observe how malware behaves and collect extra IOCs and TTPs. For example, follow this link to see the analysis of a threat sample from TI Lookup search results: 

View sandbox session 

That’s how you get to enrich your threat research to follow through with an informed incident response. 

Threat Hunting for Proactive Defense 

Another way to apply TI Lookup’s free functions is to use it for threat hunting. For instance, if you would like to research the phishing kit Tycoon2FA’s activity in a particular region, you can create a compound query like this: 

threatName:”tycoon” AND submissionCountry:”de”  

It combines the name of the threat we’re interested in with the id of a country—in this case, de – Germany. By entering this query, you’ll see the most recent analysis samples involving Tycoon2FA that were uploaded by users from there: 

Now you get to collect IOCs and use this data to proactively defend your infrastructure.  

With a Premium plan, you would also be able to subscribe to your query. This feature is called Search Updates and allows you to stay on the lookout for emerging threats that fit your previous search: 

Maximize Benefits and Unlock Premium Features 

The free version of TI Lookup grants you the functionality needed to achieve tangible results. To gain full access to its features and expand your ability to conduct investigations, opt for the Premium plan. With it, you can access three times more data, automate alert triage, and receive notifications on attacks as soon as they emerge.  

It’s designed for SOC teams from businesses and organizations, as it allows for private searches that can’t be seen by other users and other exclusive features: 

• Speed up alert triage: Quickly correlate alerts against a vast database of the latest IOCs, IOBs, and IOAs. 

• Automate workflow for real-time monitoring: Integrate TI Lookup with your security tools (e.g., SIEM, TIP, or SOAR systems). 

• Threat hunt with precision: Create and browse custom YARA rules in ANY.RUN’s database to identify malware patterns with YARA Search. 

• Investigate in detail: Fine-tune your search with over 40 search parameters, as well as extra operators. 

• Stay proactive: Set up automated alerts for specific IOCs or threat patterns for continuous updates. 

• Follow malware trends: With TI Reports by our expert analysts, you can raise awareness about the latest attacks targeting different industries. 

Let’s see how TI Lookup’s interface looks like with all features unlocked. For that, we’ll use a query to look for the Lumma family threats. Additionally, we’ll browse for all domains related to it: 

threatName:”lumma” AND domainName:”” 

Here are the results TI Lookup returns: 

As you can see, the Premium plan grants you more data: it includes domains, countries, ports, IPs, and more. In this case, it’s especially important that we got to collect many malicious domains. 

Conclusion 

TI Lookup is a must-have tool if you want to maintain a simpler and faster way to conduct threat investigations. SOC teams can benefit from it immensely thanks to relevant, real-world data it provides. Accelerate your decision-making and take proactive action against malware with TI Lookup—available with Free and Premium plans. 

About ANY.RUN   

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.   

• Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.   

• Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats. 

Request trial of ANY.RUN’s services to see how they can boost your SOC workflows

The post Free. Powerful. Actionable. Make Smarter Security Decisions with Live Attack Data   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More