ANY.RUN now delivers Threat Intelligence (TI) Feeds directly to Microsoft Sentinel via the built-in STIX/TAXII connector. No complicated setups. No custom scripts. Only high-quality indicators of compromise (IOCs) to fortify your SOC and catch attacks early, keeping your business secure. 

About the TI Feeds Connector for Microsoft Sentinel  

ANY.RUN’s TI Feeds support a seamless, out-of-the-box connection to Microsoft Sentinel that delivers real-time threat intelligence directly into your workspace. 

• Effortless Setup: Connect TI Feeds to Sentinel using the STIX/TAXII connector with your custom API key. 

• Enhanced Automation: Sentinel’s playbooks, powered by Azure Logic Apps, automatically correlate IOCs with your logs, triggering alerts or actions like blocking IPs. This cuts manual work and speeds up response times. 

• Cost Efficiency: Leverage your existing Sentinel setup without extra infrastructure costs. Fewer missed threats, thanks to high-fidelity IOCs, reduce the financial impact of breaches. 

The IOCs enriched with links to sandbox sessions can be used in Sentinel’s analytics, letting you build custom rules, visualize threats, and prioritize incidents effectively. 

What Makes ANY.RUN’s Threat Intelligence Feeds Unique 

ANY.RUN’s TI Feeds deliver malicious IPs, domains, URLs that have been active for just hours, not days. We extract them from live sandbox analyses of the latest threats hitting 15,000+ organizations worldwide. Unlike post-incident reports that lag behind, our feeds update every two hours, sending active attack indicators straight to clients. This lets MSSPs and SOCs detect today’s threats early and effectively, keeping systems secure. 

• Fresh Data: IOCs update every 2 hours from live attack detonations in ANY.RUN’s Interactive Sandbox. 

• Rich Context: Each IOC links to sandbox sessions with full TTPs for deeper investigations. 

• Low Noise: Pre-processing by expert analysts ensure near-zero false positives, saving your team time. 

• Flexible Integration: Thanks to API, SDK, STIX/TAXII support, TI Feeds work seamlessly with SIEM/XDR/firewalls and other solutions. 

How TI Feeds Help SOCs and MSSPs Spot Attacks in Time 

Threats move fast. Malware and phishing can slip through if you’re not ready. ANY.RUN TI Feeds give SOCs and MSSPs the edge to detect and stop attacks before they impact. Our high-fidelity IOCs — IPs, domains, URLs — come enriched with context from ANY.RUN’s Interactive Sandbox, ensuring you act with precision. 

• Catch Threats Early: Real-time IOCs enable preventive actions and rapid response to minimize damage. 

• Boost Detection Rate: Near-zero false positives and pre-processing help ensure that your SOC never misses a threat. 

• Lower Costs and Risks: Fewer undetected threats mean reduced financial and operational fallout. Fresh, reliable IOCs help you avoid costly breaches. 

• Cut MTTR: Faster alert triage and a complete threat visibility thanks to linked sandbox analyses informs responders’ actions, helping them prevent threat spread and reduce damage. 

• Improve SOC Performance: Automate threat processing, cutting manual tasks for SOC specialists and letting them prioritize top risks. 

Receive Threat Intelligence Feeds in Microsoft Sentinel 

Here is a detailed manual to guide your TI Feeds setup in Microsoft Sentinel. Should you need any assistance or have any questions, feel free to contact us. 

Connecting to the STIX/TAXII server 

1. Open MS Sentinel and go to the Data connectors tab in the Configuration section. 

2. Search for the Threat Intelligence STIX/TAXII connector and click Open connector page. 

3. You will see the list of prerequisites for the connector to work. If you lack any of them, view this documentation by Microsoft.  

4. Fill out the Configuration form: 

• Name the server via the Friendly name field 

• Insert API root URL: 

• Choose a Collection ID: 

• Enter your Username and Password. 

If you don’t have these credentials, contact your account manager at ANY.RUN or fill out this form.  

You can also choose to import all available indicators or those that are one day, week, or month old via the field Import indicators. Another optional setting is Polling frequency that determines how often you’d like to connect to the STIX/TAXII server to retrieve new feeds: once a minute, once an hour, or once a day. 

Finally, click Add, and you’re all set up. 

If you need more information, see STIX/TAXII documentation by ANY.RUN. 

Browsing indicators 

To access the indicators you’ve retrieved, go to the Threat intelligence tab. 

You’ll find a table with fields describing each indicator: 

• Values – indicator itself; 

• Names – name of an indicator; 

• Types – type of an indicator (IP, URL, or Domain); 

• Sources – source of an indicator; 

• Confidence – this rate determines our level of certainty on whether an indicator is malicious (50 – suspicious, 75 – likely malicious, 100 – malicious); 

• Alerts – number of alerts related to an indicator; 

• Tags – descriptors of an indicator; 

• Valid from and Valid until – time period during which an indicator is considered valid. 

Real-World Application Scenario

Here’s a typical flow your security operations can adopt: 

1. Feed Setup: Your security team configures IOC ingestion from ANY.RUN into Microsoft Sentinel, where data is indexed and becomes searchable. 

2. Automated Correlation: Sentinel continuously analyzes incoming logs from EDR systems, network equipment, proxies, email security, and other sources, automatically correlating them with ANY.RUN’s IOCs. 

3. Alert Generation: When matches are detected (IP addresses, domains, file hashes), Sentinel creates security events and alerts. 

4. Streamlined Triage: Alerts are routed to analysts for manual or semi-automated incident analysis, including log review, event correlation, and behavioral analysis. 

5. Rapid Response: Depending on your configuration, the system can execute manual or automated responses including isolation, blocking, or escalation procedures. 

How TI Feeds in MS Sentinel Boost SOC & MSSP Performance 

Plug ANY.RUN’s feeds into Microsoft Sentinel with minimal setup, leveraging existing infrastructure, and benefit from: 

• Faster Threat Detection: Fresh IOCs flow into your system quickly, accelerating identification of threats. 

• Seamless Interoperability: No need to overhaul processes or tools — TI feeds work within your Sentinel environment. 

• Enhanced Monitoring and Triage Capabilities: Expand your threat detection coverage with high-confidence indicators that improve both monitoring effectiveness and incident triage accuracy. 

• Access to Unique Data: Gain insights from real-time analysis of attacks on 15,000 organizations, powered by ANY.RUN’s Interactive Sandbox. 

• Cost Efficiency: Reduce setup costs by using a seamless STIX/TAXII connector. 

• Process Continuity: Maintain existing workflows without disruption. 

• Automation and Reduced Workload: Automate actions based on IOCs (e.g., flagging logs, isolating endpoints), freeing up SOC resources. 

• Competitive Edge for MSSPs: Stand out with exclusive IOCs derived from cutting-edge research, enhancing your service offerings. 

About ANY.RUN 

ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.  

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.  

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.  

Want to see it in action? Start your 14-day trial of ANY.RUN today → 

The post ANY.RUN & Microsoft Sentinel: Catch Emerging Threats with Real-Time Threat Intelligence appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

X (formerly Twitter) has long had a solid reputation as a primary source of crypto scams, which are often promoted on the social network by compromised or fake accounts of celebrities or major companies. Meanwhile, Meta’s ubiquitous platforms — Instagram, Facebook, and WhatsApp — are earning a similar reputation in a different category: investment fraud involving deepfakes.

Criminals are eagerly exploiting AI tools to create fake videos of prominent figures in the financial sector — from famous economists and TV hosts to heads of government. Attackers then promote these videos by placing ads on social media. In this post, we explain how these schemes work, how victims are duped after watching these videos, the role WhatsApp plays in the schemes, and how you can avoid falling for them.

Instagram, deepfakes, and WhatsApp: investment scams in Canada

To understand how these scams work, we’ll start with a recent campaign that targeted customers of Canadian banks. Attackers began by running Instagram ads in the name of BMO Belski.

The abbreviation BMO was a deliberate choice; Canadian users consistently associate it with the country’s oldest bank, the Bank of Montreal. The mention of the Belski surname was no accident either: Brian Belski is BMO’s chief investment strategist and head of the bank’s investment strategy team.

The BMO Belski ads showed AI-generated deepfake videos of Belski himself promising users the chance to join a private investment group on WhatsApp. The criminals’ strategy was to dupe unsuspecting Canadian users into believing they’re getting trustworthy financial and investment advice from a recognized expert. The users would then rush to chat with the scammers through WhatsApp.

This is what an Instagram ad for a fraudulent investment club with a deepfake Brian Belski looks like: users are encouraged to join a private group on WhatsApp. Source

A curious detail: the BMO Belski account that ran these ads on Instagram had no profile on that social media platform at all. The ads ran through BMO Belski’s Facebook page. Meta, the company that owns both social networks, lets advertisers run Instagram ads from a Facebook business page, thus eliminating the need to create a separate Instagram account.

It’s also interesting that the Facebook page used to promote the fraudulent ads had existed since October 27, 2023, and was previously titled “Brentlinger Matt Blumm” — whatever or whoever that may be. The scammers likely used a pre-made or previously stolen account that was “marinated” for a few years to avoid suspicion and bypass moderation.

The ad with the Brian Belski deepfake was launched on Instagram, but on behalf of a Facebook page. Meta allows promoting ads on Instagram even if the advertiser doesn’t have an account there. Source

Researchers don’t know exactly what went on in the WhatsApp private investment chats promoted by the deepfake. There’s also no information about victims of the ad featuring the fake banker, or the amount of their losses. However, other cases involving similar schemes, which we discuss later in this post, give us an idea of how this could’ve looked.

Scammers impersonate Financial Times’ chief economics commentator

Several months ago in the UK, scammers employed a similar scheme, which featured a deepfake of Martin Wolf, the chief economics commentator for the Financial Times. Similarly to the Canadian bank scam, the fraudsters disseminated ads on Instagram that showed a fake Martin Wolf inviting people to join his WhatsApp group for investment advice.

A former colleague of Wolf’s first alerted the journalist to the ad in March 2025. Once alerted, Wolf started pushing Meta to block the ads because they violated several of the platform’s own advertising policies. After some back-and-forth with Meta, the journalist managed to get one of the fraudulent ads taken down. However, Wolf soon began receiving links to other similar videos.

An example of an investment deepfake video of the Financial Times journalist, which scammers advertised on Instagram. Source

A subsequent investigation by the journalist’s colleagues at the Financial Times showed that the scam campaign included at least three different deepfake videos and several digitally manipulated images of Martin Wolf. These materials appeared in more than 1700 ads across Facebook and Instagram.

According to data from the Meta Ad Library, these ads reached more than 970 000 users in EU countries alone (excluding the UK), where legislation requires platforms to disclose such information. At least ten accounts ran the campaign, with new profiles joining the game as soon as the previous ones were blocked.

In just six weeks, a fraudulent advertising campaign featuring a deepfake of a Financial Times journalist reached nearly a million users in the EU alone. Source

The most shocking part? All of this occurred even though Martin Wolf was enrolled in Meta’s new face recognition system, which is specifically designed to automatically detect and remove this kind of content. The journalist himself questions why an organization as large as Meta, with plenty of resources and AI-powered tools, is unable to detect and block such schemes — if not fully automatically, then at least after direct notifications. Is it really that difficult?

What goes on inside WhatsApp scam chats: a British victim’s story

A British office manager named Sarah shared what happens inside “exclusive communities” on WhatsApp after she became a victim of scammers. She joined a WhatsApp group after watching an Instagram ad that featured Peter Hargreaves, the co-founder of the UK’s largest investment platform, Hargreaves Lansdown. You guessed it: the video was also a deepfake.

After Sarah gave the scammers her number, they contacted her and sent her an invitation to the WhatsApp group. Following that, they sent a link to download a supposed investment app to her smartphone. Sarah was told a “mentor” would assist her by telling her when and at what price to buy and sell assets to lock in a profit.

Initially, Sarah invested £50, but she soon began putting more and more of her savings into assets recommended in the WhatsApp group. Sarah believed she was investing in small, growing companies and quickly earning a profit. In just two weeks, her account showed about £300 in profits on a total investment of about £2 000.

Problems only began several weeks later when Sarah wanted to transfer the profit to her bank account. She started receiving requests to pay taxes, withdrawal fees, and regulatory fees. She continued to pay, convinced that she’d soon get her money back with a large profit.

When Sarah suspected a scam, it was already too late: all the money was gone. The WhatsApp group disappeared, her “mentor” stopped responding, and the investment app quit working. Along with the app, the £4000 she had invested and all of her supposed profits vanished.

More than 600 advertisements featuring deepfakes of Peter Hargreaves were found on the Meta platform. One of these ads led Sarah into the hands of scammers. Twenty-two fraudulent accounts placed the ads, and Hargreaves Lansdown had them removed in May of this year after filing a trademark infringement complaint.

To lure victims, the scammers also deployed deepfakes of other British financial celebrities besides Peter Hargreaves and Martin Wolf. These included Anthony Bolton, a former Fidelity International fund manager, and Stephanie Flanders, a former JP Morgan Asset Management economist.

From The Wolf of Wall Street to WhatsApp groups: how deepfake pump-and-dump schemes work

Malicious actors also employ deepfake videos in Facebook and Instagram ads to carry out another type of investment scam known as pump and dump. This scheme involves genuine financial assets — not fictional tokens in a fake application. The catch is that criminals buy up cheap, unattractive stocks to inflate their price. They then launch an aggressive advertising campaign on social media urging users to invest and promising rapid returns.

Due to the heightened interest, the stock price continues to rise for a time, and more people invest with hopes of easy profit. Once the value peaks, the scammers quickly sell off their shares and disappear with the earnings. After that, the price plummets, and everyone else is left with almost worthless stock.

A similar scheme existed long before the widespread adoption of deepfakes. One of the most famous examples of its execution was the work of Jordan Belfort, the inspiration for the main character in the movie The Wolf of Wall Street. In the early 1990s, his brokerage firm sold cheap, little-known stocks to clients, artificially inflating demand for them before dumping them at an inflated price.

Whereas stock market scammers in the past relied on their own asserted authority to convince victims to purchase dubious stocks, deepfake technology now allows them to exploit the reputations of experts and well-known figures.

For example, a scheme was recently uncovered in Israel where bad actors artificially inflated the stock price of Ostin Technology Group Co. Ltd. (OST). To do this, they circulated deepfake videos featuring business journalist Guy Rolnik, entrepreneur Eyal Waldman, and businesswoman Shari Arison. The scammers also impersonated reputable financial institutions, including the Tel Aviv Stock Exchange, the Israel Securities Authority, Bank Hapoalim, and Israel Discount Bank.

The fraudsters distributed fake promotional videos on Facebook and Instagram and, as in the previous scheme, invited users to join WhatsApp groups, where they provided them with advice on how to purchase OST stock. It didn’t take much persuading; a quick Google search confirmed that OST stock was, in fact, on the rise.

Rise and fall: Ostin Technology Group stock grew multiple times over, and then collapsed by 95% — after a scam campaign with deepfakes and investment chats in Israel. Source

Over several weeks, the company’s stock rose multiple times, reaching US$9.02 at its peak, after which it collapsed by 93%, with the stock price falling to 13 cents. In the two most serious cases, two victims lost 250 000 and 150 000 shekels (about US$75 000 and US$45 000), respectively.

Meta can’t protect users from deepfakes: a story from Australia

Scam ads that targeted Australian Facebook and Instagram audiences employed deepfake videos of several well-known personalities to promote fraudulent investment schemes. These videos featured TV host and financial journalist David Koch, billionaire Gina Rinehart, conservationist and TV host Robert Irwin, and even Australia’s current prime minister, Anthony Albanese.

In a fraudulent ad on Facebook, a deepfake of the Australian prime minister advertises investments Source

In a deepfake video, Anthony Albanese enthusiastically advertised an investment program that promised significant returns for minimal outlay. The links within the deepfake videos of him and the other personalities directed viewers to a fake news story. The article included what appeared to be quotes from famous Australian public figures to support investments in cryptocurrencies, or other get-rich-quick schemes. Facebook users were asked to sign up for the program, after which scammers would contact them to convince them to deposit money.

In response to user complaints about fraudulent ads, Facebook sent out the following boilerplate message:

“We didn’t remove the ad. Thanks again for your report. This information helps us improve the integrity and relevance of advertising on Facebook. […]

We understand this might be frustrating, so we recommend influencing the ads you see by hiding ads and changing your ad preferences”.

The message suggests that Meta isn’t particularly eager to combat fraudulent advertising — even when users try to assist the company. Source

In short, Meta’s efforts to fight deepfakes and investment scams on its platforms remain inadequate. Even with its plentiful resources and AI-powered tools, the company is unable to quickly detect and block obviously fake videos that exploit the likeness of public figures.

These ads appear daily in users’ feeds as paid promotions from fake yet seemingly legitimate accounts. This means that Facebook and Instagram ultimately profit from their being spread.

How to avoid falling victim to deepfake ads on Instagram and Facebook

To avoid suffering from questionable and outright fraudulent investment advice, our primary recommendation is not to make financial decisions based on information from Instagram or Facebook. In addition to that:

• Approach ads on social media with caution. As the stories in this post clearly show, ad moderation on Facebook and Instagram (and X, too) is less than ideal.
• Don’t forget about deepfakes. For several years now, we’ve been living in a reality where videos of any famous person can be easily, quickly, and cheaply faked. You should keep this in mind and verify any information you receive from dubious sources.
• Remember the universal rule of investing: the higher the potential return, the greater the risk involved. Therefore, you shouldn’t invest money you aren’t prepared to lose in schemes with supposedly high profits (which actually have a high risk).
• Be especially careful with offers that promise quick profits with minimal outlay. This is one of the most obvious signs of a scam — you know what they say about free lunch.
• Use only reliable investment apps from vetted brokers downloaded from official app stores. You shouldn’t trust download links sent by strangers in messaging apps.
• Tell your family and friends about deepfake video scams. This will help protect them from losing money and the emotional distress that can follow.

Learn more about deepfakes:

• Watch the (verified) birdie, or new ways to recognize fakes
• Don’t believe your ears: voice deepfakes
• You’re in for a big payout again
• How to mitigate the impact of deepfakes
• Scams targeting lovers or the lovelorn

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

This week the Booker Prize Longlist was released and it featured several books I’ve read this year a couple that are on my TBR (To Be Read), a couple that I had not heard of, and a couple that make me scratch my head and question why they would be included at all. It’s always exciting for me to see the Booker Longlist as it gives me an idea of how I’ve tapped into the literary fiction zeitgeist in first half of the year and what I may be tapping into in the back half of the year. That got me thinking about the cycle of staying up to date with the current threat landscape and the evolution of the threat actor behaviors and techniques and how Black Hat and DEF CON reside in a similar space for all of us in the cyber security space. Some of the new or interesting things that will come out will provide actionable insights, others will be a heaping serving of more of the same and while not trivial they will be super interesting and important, and finally some information will simply be all name and sizzle, but in the end full of sound and fury and signifying nothing.  

As a reader I’ve to understand that these lists, and the authors and books included in them, are there for various reasons and not all of them are on the merit of the narrative and the craft of writing. Early in my career it was hard to separate the things that came out of Summer Camp because I was so desperate to learn and so excited that I often couldn’t leverage my own experiences and separate the actionable from the detritus. Now I find that I don’t even have to expend much energy to move the firehose of information into the proper channels in my mind and then dive in and take what I’ve learned and apply it. Also trusting that if something that seems like empty sizzle is important – that I have team members that will keep me clued in and finding the needles in the never-ending field of haystacks.  

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

The one big thing 

The Cisco Talos Incident Response Trends Q2 2025 report is out today, and as always it is packed with in-depth insights into recent attacker behavior. Phishing remains the top initial access vector, but interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities. Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. Education was the most targeted industry vertical this quarter.

Why do I care? 

The report contains details of how attackers are exploiting vulnerabilities and circumventing security tools. Examples include MFA installations with self-service options that allow attackers to register their own devices. We also saw stealthy tactics in ransomware attacks such as the use of PowerShell 1.0 (yes the original version from 2006) in what we’re calling “bring your own binary”.

So now what? 

The report outlines actionable advice based on observed incidents,
such as:

• Proper configuration and monitoring of multi-factor authentication (MFA).
• Importance of centralized logging
• Steps to harden endpoint detection and response (EDR) systems.

These insights help prioritize mitigations that directly address real-world attack techniques. Download the report today.

Top security headlines of the week 

Journalist Discovers Google Vulnerability That Allowed People to Disappear Specific Pages From Search

By accident, journalist Jack Poulson discovered Google had completely de-listed two of his articles from its search results. “We only found it by complete coincidence,” Poulson told 404 Media. “I happened to be Googling for one of the articles, and even when I typed in the exact title in quotes it wouldn’t show up in search results anymore.” (404 media)

ChatGPT, GenAI Tools Open to ‘Man in the Prompt’ Browser Attack

A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. (DarkReading)

Phishers Target Aviation Execs to Scam Customers

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries (Krebs)

Can’t get enough Talos? 

We have lots of videos to share, so queue them up and let’s get learning!

Tales from the Frontlines

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. Reserve your spot.

IR Trends Q2 2025

Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy. Read more.

Beers with Talos

So You Wanna Be an Incident Commander? Meet Alex Ryan. Bill, Joe and Hazel chat with Alex about what it really takes to lead through the chaos of a cybersecurity incident, from coordinating stressed-out teams, fielding exec questions, and making sure people eat. Listen here.

Upcoming events where you can find Talos 

Join us at hacker summer camp! Read our Black Hat preview here.

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08
MD5: 906282640ae3088481d19561c55025e4
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details
Typical Filename: AAct_x64.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Winactivator::1201  

SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442
MD5: 7854b00a94921b108f0aed00f77c7833
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details
Typical Filename: winword.exe
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote
Detection Name: W32.0581BD9F0E.in12.Talos 

SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
MD5: 42c016ce22ab7360fb7bc7def3a17b04 
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277
Typical Filename: Rainmeter-4.5.22.exe
Detection Name: Artemis!Trojan    

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query 
Detection Name: W32.File.MalParent    

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe 
Detection Name: Win.Worm.Bitmin-9847045-0  

Cisco Talos Blog – ​Read More

ANY.RUN’s Interactive Sandbox provides SOC teams with the fastest solution for analyzing and detecting cyber threats targeting Windows, Linux, and Android systems. Now, our selection of VMs has been expanded to include Linux Debian 12.2 64-bit (ARM).  

With the rapid rise of ARM-based malware, the sandbox helps businesses tackle this threat through proactive analysis and early detection. 

Why ARM-based Malware is a Serious Threat to Your Company 

ARM processors are widely used in resource-constrained IoT devices, embedded systems, and even low-power servers, often deployed with weak security. These devices become prime targets for attackers looking to build massive botnets, steal resources, or gain unauthorized access. The three most popular types of ARM-based malware include: 

• Botnets: Turning devices into “zombies” for DDoS attacks. 

• Cryptojackers: Hijacking CPU for cryptocurrency mining. 

• Backdoors: Maintaining persistent unauthorized system access. 

By expanding the capabilities to identify these threats, companies can prevent large-scale incidents in their infrastructure and reduce costs associated with downtime, recovery, and incident response. 

Launch Your First Malware Analysis in Linux Debian (ARM) VM 

The new OS is now available to all Enterprise users, unlocking deeper analysis capabilities for ARM-based threats.  

To select the Linux Debian VM, follow these simple steps:  

1. Open ANY.RUN’s Interactive sandbox. 

2. Navigate to the New analysis window.  

3. Open the Operating system menu 

3. Click on Linux Debian 12.2 (ARM, 64 bit)  

4. Upload a file/URL you want to analyze, configure the rest of your settings, and run your analysis.  

The update further empowers your security team to detect malware and phishing early with ANY.RUN’s Interactive Sandbox: 

• Ensure fast analysis: Accelerate triage, incident response, and threat hunting with a dedicated ARM environment for instant insights into any threat’s behavior. 

• Cut costs: Analyze ARM-based malware along with Windows, Android, Linux x86 threats directly in ANY.RUN’s sandbox, eliminating the need for multiple platforms. 

• Improve incident escalation: Gather rich, actionable data during Tier 1 analysis to enhance informed handoffs to Tier 2 to mitigate active attacks more effectively. 

• Grow team’s expertise: Help your SOC analysts enhance their skills by analyzing real-world ARM threats, building confidence and knowledge through hands-on investigations. 

Real-World Use Case: Kaiji Botnet 

To demonstrate how ANY.RUN’s Linux Debian 12.2 (ARM, 64-bit) Sandbox operates, we analyzed a real-world sample of the Kaiji botnet, malware specifically compiled for the ARM architecture. 

Kaiji is a botnet that targets Linux-based servers and IoT devices. Once executed, it performs system reconnaissance, masks its presence, disables security mechanisms like SELinux, and ensures persistence through systemd services and cron jobs. It replaces core system utilities and hides malicious activity by filtering command output, all of which are captured inside the sandbox. 

Let’s take a closer look at how Kaiji behaves from the moment it lands on the sandbox: 

View real case inside sandbox 

Fast Detection with Instant Verdict 

In this real-world case, ANY.RUN’s Debian 12.2 ARM sandbox detected the Kaiji botnet in just 25 seconds, as shown in the top-right corner of the sandbox interface. The threat was flagged as malicious activity and accurately labeled kaiji and botnet. 

This kind of speed delivers real value for security teams: 

• Respond faster: A near-instant verdict means teams can act before the threat spreads. 

• Reduce manual work: Quick detection cuts down time spent digging through logs or unclear alerts. 

• Improve SOC efficiency: Faster detection supports lower MTTR and smarter alert triage. 

• Stay ahead of evolving threats: With ARM-based malware on the rise, fast, reliable detection is key to staying protected. 

Full Visibility with Process Tree 

Beyond fast detection, ANY.RUN’s sandbox gives complete visibility into the attack’s behavior. On the right side of the screen, the process tree lays out every action taken by the malware. Clicking on each process reveals detailed information, from execution paths to commands and TTPs used. 

In this Kaiji case, for example, we can see how the malware attempts to maintain persistence by modifying /etc/crontab to run the /.mod script every minute. This script keeps the malicious process running in the background, even if one of the persistence methods fails; a tactic clearly visible and traceable through the sandbox’s behavioral logs. 

This level of insight helps SOC teams not only detect threats quickly, but understand them deeply, supporting better response, reporting, and threat hunting. 

Track Network and File Activity in Real Time 

Just below the VM window, ANY.RUN displays all network connections and file modifications made by the malware, offering analysts a complete picture of how the threat operates. 

In this case, Kaiji’s behavior is clearly visible: the malware replaces key system utilities and intercepts user commands, passing them to the original tools while filtering the output to hide signs of infection. This is handled via the /etc/profile.d/gateway.sh script, which uses sed to remove specific keywords like 32676, dns-tcp4, and the names of hidden files from command output; a stealthy evasion technique that can be easily overlooked without deep behavioral analysis. 

With this visibility, security teams can trace every move, catch hidden modifications, and build accurate IOCs for future detection and response. 

Complete Results, Ready to Investigate or Share 

Once the analysis is complete, ANY.RUN’s sandbox gives you everything you need to take the next step. The IOCs tab gathers all critical indicators, including IPs, domains, file hashes, and more, in one place, so there’s no need to jump between views or dig through raw logs. 

You’ll also get a clear, structured report that maps out the full attack chain from start to finish. Whether you’re documenting a case, sharing findings with your team, or enriching threat intelligence feeds, the report is built to support fast, confident action. 

This end-to-end visibility makes every investigation smoother, and every response stronger. 

About ANY.RUN 

Trusted by over 500,000 security professionals and 15,000+ organizations across finance, healthcare, manufacturing, and beyond, ANY.RUN helps teams investigate malware and phishing threats faster and with greater precision. 

Accelerate investigation and response: Use ANY.RUN’s Interactive Sandbox to safely detonate suspicious files and URLs, observe real-time behavior, and extract critical insights, cutting triage and decision time dramatically. 

Enhance detection with threat intelligence: Leverage Threat Intelligence Lookup and TI Feeds to uncover IOCs, tactics, and behavior patterns tied to active threats, 6empowering your SOC to stay ahead of attacks as they emerge. 

Request a trial of ANY.RUN’s services to see how they can boost your SOC workflows. 

The post Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More