Malware analysis is a promising yet competitive career path, where education must be taken seriously to stand up against ever-evolving threats. The demand for such professionals has never been higher, but the requirements and expectations are not low either.  

A specific mindset and a number of well-developed soft skills are no less vital than a set of technical skills directly related to performing the job. Nurturing this mindset, as well as developing the skills, is a challenge not only for future professionals, but for educational institutions that offer cybersecurity programs.

1. Technical Skills 

Here go hands-on abilities critical for understanding and countering malware, acquaintance with research methods and tools. 

• Static And Dynamic Malware Analysis.  

Static analysis is examining malware without executing it—disassembling code, inspecting binaries, and identifying suspicious strings or functions. Dynamic analysis includes running malware in a controlled environment to observe its runtime behavior, such as network traffic or system changes. 

• Networking and Protocol Analysis. 

Malware often communicates with C2 servers or propagates through networks. Recognizing abnormal network traffic is crucial. 

• Programming Proficiency. 

Writing scripts or tools in languages like Python or C to automate analysis, unpack malware, or simulate its effects will be a part of work routine. This amplifies efficiency and enables custom solutions for unique threats. The skill is gained through coding practice, creating YARA rules, and engaging with cybersecurity coding projects. 

One great source of technical skills are quality learning programs and courses from validated experts — like ANY.RUN’s Security Training Lab. Based on nine-year experience in threat hunting and analysis, the program contains 30 hours of academic content, educational videos, interactive tests and practical tasks. It is designed with both students and universities demands in mind.  

2. Analytical Thinking (Problem Solving)  

 These skills form a mental framework optimal for dealing with complex threats. 

• Pattern Recognition.  

Identifying similarities between malware samples aids in detecting new variants and understanding campaigns. It is cultivated by reviewing diverse samples and indicators, studying threat intelligence reports, and building mental or written databases of common tactics. 

• Root Cause Analysis and Logical Deduction.  

An analyst must be able to find the underlying issue behind an incident to prevent recurrence and refine defensive measures. For this, endpoint forensics, registry analysis, and analyzing system logs are of great help. 
Deduction is applied to infer malware functionality from incomplete or obscured data (e.g., encrypted payloads) and assume effective countermeasures. 

• Hypothesis Testing. 

Formulating and testing assumptions helps understand malware behavior and intent. One can learn it by practicing in controlled environments, experimenting with malware configurations. 

3. Communication and Reporting Skills 

Analysis is useless if it can’t be shared effectively with teams and stakeholders. 

• Technical Writing. 

Clear, concise reports (e.g., detailing a malware’s TTPs—tactics, techniques, procedures) and executive summaries bring actionable insights for security professionals or executives, are crucial for team coordination and legal use. 

• Collaboration and Information Sharing.  

Participating in cybersecurity communities, contributing to threat intelligence platforms help enhance the collective understanding of threats and fuel professional growth of each member.  

• Verbal Explanation and visualization. 

Very much in demand is the capability to translate complex findings into terms for non-experts, to bridge the gap between analysts and decision-makers. An expert should be ready to speak at professional events and be coherent at meetings of any audience and level.   
Non the less important is competence is fluency in visualizing information, creating diagrams, attack trees, or timelines of malware behavior.  

It is important to make professional communication your joy and habit since your early days in the industry. ANY.RUN’s Security Training Lab, for instance, supports a private discord community for students with tips, lifehacks, and the latest news in cybersecurity, fostering collaboration and knowledge sharing. 

4. Adaptability and Creativity 

Malware is evolving, so analysts must too, often thinking outside conventional approaches. 

• Learning Agility.  

Quickly grasping new tools, techniques, or malware trends keeps analysts relevant as threats shift and is vital for staying proactive. New career opportunities are always round the corner for those ready to take online courses, read research papers, attend webinars, explore industry news, and experiment with emerging tech. 

• Out-of-the-Box Thinking.  

Crafting novel ways to unpack obfuscated code or bypass anti-analysis tricks allows to outsmart malware authors. Problem-solving is fostered by brainstorming alternative approaches, collaborating with peers, and studying unconventional attack methods. 

• Resilience and Flexibility. 

Adaptability helps survive and progress when malware refuses to behave predictably, resists analysis, and high-end tools fail.  

5. Experience  

Practical exposure builds the intuition and context that technical skills alone can’t provide. 

• Familiarity with Malware Families. 

Real-world experience with topical malware is key to identifying common traits and recognizing advanced techniques.  

• Incident Response and Threat Hunting. 

Hands-on experience with real malware outbreaks sharpens decision-making under stress and reveals real-world impact. Experience in live environments develops a proactive approach to identifying and mitigating threats, bridges theory and practice. 

• Tool Mastery.

Proficiency with services and instruments is what delimits pro from a wannabe. The skill is built by consistent use in labs, following tutorials, and experimenting with new features or plugins. 

Experience is gained through practice only, so practice must be an integral element of education. Our Security Training Lab program introduces students to a range of tools for malware, script, and document analysis, including full access to ANY.RUN’s Interactive Sandbox.  

Why universities choose ANY.RUN’s Security Training Lab 

The program provides educational institutions with the content, tools, and resources they need to train students on actual threats, ensuring they graduate with the skills and knowledge to be effective cybersecurity professionals.  It is designed to: 

• Close the skills gap — equip students with hands-on experience that employers demand. 

• Expand curriculum — Add real-world malware investigations to theory-based lectures.  

• Ensure expert support — Customers get assistance from our malware analyst team. 

• Help with efficient course management — Monitor student progress and performance. 

Conclusion 

A good malware analyst blends these skills seamlessly. Technical prowess without analytical thinking is like having tools but no plan — ineffective against clever malware. Experience sharpens both, while adaptability keeps them current. Communication ties it all together, ensuring the analyst’s work drives real outcomes, not just personal insight. Each skill is achievable with deliberate effort, practice, and a mindset that thrives on challenge — qualities any aspiring analyst can cultivate over time. 

Educational solutions like ANY.RUN’s Security Training Lab empower universities to deliver a modern curriculum that meets industry standards without recruiting specialized faculty, to make their cybersecurity program engaging and relevant, and to prepare students to handle actual threats. 

Learn more about Security Training Lab and get a quote for your university 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request free trial of ANY.RUN’s services → 

The post Decoding a Malware Analyst: Essential Skills and Expertise appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

It’s here! The news security teams have been waiting for: ANY.RUN now fully supports Android OS in its interactive sandbox! 

Now, you can investigate Android malware in a real ARM-based sandbox, exactly as it would behave on an actual mobile device. No more blind spots or unreliable analysis. 

With this release, ANY.RUN allows SOC teams, incident responders, and threat hunters to analyze Android threats faster, more efficiently, and with greater accuracy while reducing operational costs. 

And the best part? Android OS support is available to everyone, including Free plan users! 

Why Your Team Needs Mobile Threat Analysis Inside ANY.RUN’s Android Sandbox 

Android malware is a direct risk to businesses, financial institutions, and enterprise security teams. Attackers are targeting mobile devices to steal credentials, infiltrate corporate networks, and compromise financial systems.  

Without real-time mobile threat analysis, businesses face delayed detection, higher security costs, and increased exposure to cyber threats. 

Now you can interact with APK files in a fully controlled environment, track malicious activity in real time, and generate in-depth reports: all in one convenient place. 

By analyzing Android threats inside ANY.RUN’s secure cloud-based environment, businesses can: 

• Spot Android malware in seconds: Run suspicious APKs in a real Android environment and catch threats before they spread. 

• See exactly what malware is doing: Watch how it abuses permissions, steals data, or makes shady network connections, no more guesswork. 

• Make Android threat investigations easier: Quickly analyze mobile malware without slowing down your team or piling on extra work. 

• Take full control of your data: Analyze Android threats in a private, secure environment where only your team has access, no third parties involved. 

• Improve collaboration: Generate structured reports with detailed APK insights, making escalation and knowledge sharing between your team more effective. 

How to Get Started with ANY.RUN’s Android Sandbox 

Getting started is quick and easy.  

Since ANY.RUN is fully cloud-based, there’s no need to download or install complicated software. Just sign up and follow these simple steps to start analyzing right away: 

1. Select Android OS – Before launching an analysis, choose Android from the operating system menu. 

2. Upload the APK file – Drag and drop the file into the sandbox. 

3. Start the investigation – Run the file and observe its behavior in real time. 

See It in Action: Analyzing Mobile Malware Inside ANY.RUN’s Android Sandbox 

Let’s look at real-world malware cases to see how ANY.RUN’s interactive sandbox makes Android threat analysis easier and more effective. 

One notorious Android malware family is Coper, a banking trojan that targets financial apps, steals user credentials, and intercepts SMS messages. Attackers use it to bypass two-factor authentication (2FA) and take full control of compromised devices. 

With ANY.RUN’s Android OS sandbox, we can break down exactly how this malware behaves in real time. 

View analysis session 

Instant Detection with Interactive Analysis 

The first thing you’ll notice after running an analysis is that ANY.RUN immediately flags suspicious activity. In this case, we see a red alert in the top right corner, signaling that the APK file is performing dangerous actions. 

Since the sandbox is fully interactive, we can engage with the app just like on a real Android device. This means: 

Opening the malware-infected app and seeing how it behaves 
Granting or denying permissions to observe how it reacts 
Triggering functions like keylogging to uncover hidden actions 

Digging into the Tree of Processes 

To understand how Coper operates under the hood, we check the Process Tree section, which provides a structured breakdown of all executed processes. 

Here, you can: 

• See which processes are spawned by the malware 

• Identify connections to suspicious services or commands 

• Detect any attempts to gain persistence or execute additional payloads 

The Process Tree is located in the right part of the analysis screen, giving a clear and organized view of how the APK interacts with the system.  

Instead of manually tracking logs, security teams get a clear breakdown of malicious actions in a simple, visual format. 

Understanding the Attack Tactics with MITRE ATT&CK Mapping 

Next, we head to the MITRE ATT&CK Matrix section, which helps map out exactly what techniques and tactics Coper is using. 

Inside ANY.RUN, this can be found under the MITRE ATT&CK tab, where you get a structured breakdown of: 

• The specific attack techniques used (e.g., credential theft, keylogging, SMS interception) 

• The broader tactics the malware follows (e.g., persistence, privilege escalation) 

• Links to detailed explanations for deeper research 

By clicking on any technique, you get a detailed description of how the attack works, making it easier to correlate threats and improve security defenses. 

Collecting IOCs for Threat Intelligence 

Once the analysis is complete, ANY.RUN generates structured, in-depth reports, allowing SOC teams to get: 

• Malicious URLs and IP addresses 
• Dropped or modified files 
• Registry changes and system modifications 

These IOCs can be exported and shared for further action, helping organizations update security rules, improve detection, and prevent future infections. 

In this analysis of GoldDigger malware, we can see a collection of useful IOCs by clicking the “IOC” button in the top right corner of the screen. 

Generating a Structured Report for Easy Sharing 

Once the analysis is complete, it’s time to generate a detailed report. In ANY.RUN, this can be done in the Reports section, allowing SOC teams to: 

 Quickly escalate cases with clear, organized evidence. 
 Share findings across teams for improved collaboration. 
 Enhance future detection strategies using real-world behavioral data. 

Having a clear, documented report helps SOC teams, threat hunters, and incident responders work more efficiently, ensuring that findings are communicated effectively across teams. 

Turn Your Team’s Hours of Android Malware Investigation into Minutes 

ANY.RUN’s Android OS support is a whole new way to investigate mobile threats with speed and precision.  

Whether your security team is tackling incident response, malware research, or threat hunting, this release helps businesses detect Android threats easier, cut investigation time, and strengthen security operations. 

• It’s fast – No waiting for static scans or manual reverse engineering. See how an APK behaves in seconds 

• It’s interactive – Click, explore, and engage with malware just like you would on a real Android device. 

• It’s detailed – Track every action with process trees, MITRE ATT&CK mapping, and real-time network insights. 

• It’s fully cloud-based – Run Android malware investigations anytime, anywhere, without worrying about infrastructure. 

• It’s built for teams – Generate structured reports, share findings, and collaborate on investigations seamlessly. 

Start your first Android analysis today and experience the precision of mobile malware analysis inside a real ARM-based sandbox. 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request free trial of ANY.RUN’s services → 

The post Expose Android Malware in Seconds: ANY.RUN Sandbox Now Supports Real-Time APK Analysis  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Since February, many users have been complaining about the Android System SafetyCore app suddenly appearing on their Android phones. It has neither UI nor settings, but Google Play says the developer is Google itself, the number of installations exceeds a billion, and the average rating is a dismal 2.4 stars. The purpose of the app is described vaguely: “It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages”. It’s not hard to guess what “sensitive content” stands for, but how and why is Google going to be warning us about it? And how is it going to find out whether the content is indeed sensitive in nature?

First, some reassurance regarding privacy: neither Google nor independent experts have reported any privacy concerns. SafetyCore runs locally — without sending photos or associated information to external servers. When the user receives an image in Google Messages, a machine-learning model that runs locally on the phone analyzes it and blurs it if it detects anything saucy. To remove the blur, the user has to tap the image and confirm that they really want to view the content. A similar thing happens when sending: if the user tries to send an image with nudity, the phone double-checks if it really needs to be sent. Google stresses that it doesn’t send scan results anywhere.

The SafetyCore app handles the image analysis — but it’s not designed for standalone use. Other apps call on SafetyCore when receiving or sending pictures, but it’s up to them how to use the output. So far, AI analysis can only be used in Google Messages: images recognized as “sensitive” will be blurred. In the future, Google promises to make SafetyCore features available to other developers, enabling apps like WhatsApp and Telegram to detect nudes as well. Other apps could be configured to, for example, block adult content or immediately filter such images into spam.

Unlike previous attempts by Google and Apple to protect children from unwanted content, SafetyCore avoids external server analysis, which enhances privacy but strains hardware. Google anticipates that SafetyCore will eventually be installed on all sufficiently powerful (2GB RAM, Android 9+) phones. The feature will be disabled by default for adult users but enabled for minors. If you don’t need this kind of hand-holding, or don’t like having extra apps, you can simply remove SafetyCore from your phone. Unlike numerous other Google services, this app can easily be uninstalled through both Google Play and the “Apps” subsection of the phone settings. However, bear in mind that Google might reinstall the app with a future update.

SafetyCore is the most sophisticated, though not the only, on-device (meaning no cloud usage and no user-data sharing) AI-powered protection system that Google is developing. Alongside SafetyCore, in October 2024 Google announced language models designed to analyze messages from strangers in Google Messages and suggest ending the conversation if the message text resembles a typical scam scheme.

Besides SafetyCore, another app is spawning on devices with no warning — Android System Key Verifier. It also has no UI, can easily be uninstalled, and is designed for secure communication. However, it features no AI-driven analysis. This app enables two users to verify their keys during end-to-end encrypted messaging. WhatsApp and Signal have their own ways of doing this (users scan each other’s QR codes when meeting in person, or they compare long strings of numbers that show up on the screen). Google wants to make this easier for all messaging apps by putting a standard interface into Android.

Users’ main issue with Google, and the reason for the poor ratings, isn’t what the apps do, but how they’re installed: with no warnings, no explanations, and no user choice. A new app just appears on their phones. Many Google Play reviewers worry if it’s a virus, and some claim their phones or specific apps see reduced performance. There were no widespread issues connected to installing these Google apps, but if you’ve any doubts, you can manually delete the app and see if your phone indeed works better.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.

Let’s pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025.

When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn’t typically (or shouldn’t be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement.

In last week’s newsletter, my colleague Martin asked, “Who is responsible, and does it matter?” As a thought exercise, let’s flip the script and ask, “Where is the victim, and does it matter?” I often field questions about threats specific to countries, regions, or continents, but the reality is that software is largely the same regardless of physical location. Yes, there are different language packs, and yes, spam and phishing campaigns may use local languages. However, when it comes to software, operating systems, libraries, and drivers, we share code globally.

Remember Log4j and NotPetya? These vulnerabilities caused chaos around the globe. Both have CVEs listed in the Known Exploited Vulnerabilities (KEV) catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

While researching the KEVs added in 2024, I discovered CVEs dating back to 2012, 2013, and 2014. This underscores that regardless of location, old vulnerabilities can remain relevant and dangerous years after their discovery.

Fast forward to 2025: CVE-2025-22224 was published on Mar. 4, 2025 and added to CISA’s KEV Catalog less than two hours later. A week later, over 40,000 vulnerable instances were still detected globally, as shown on the Shadowserver dashboard:

Rather than solely focusing on geography, the global vulnerability landscape suggests we should ask ourselves:

·       “Am I running this software?”
·       “Is my software up to date?”
·       “How quickly can I fix it?”
·       Or, for the brave, “Am I prepared to take the risk?”

While more attributes for CVEs may be beneficial, I personally believe the absence of a geographic attribute is a good thing. Patching and updating software should be prioritized regardless of nationality or geographic context. When it comes to maintaining robust cybersecurity, the only good vulnerability is no vulnerability.

Remember: In the digital world, we’re all neighbors. A vulnerability anywhere is a threat just around the corner.

The one big thing

Cisco Talos discovered malicious activities conducted by an unknown attacker as early as January 2025, predominantly targeting organizations in Japan. The attacker exploited a vulnerability, CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.

Why do I care?

We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response report for Q4 2024, and this intrusion highlights this ongoing activity. In this case, the attacker establishes persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”

So now what?

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see the National Vulnerability Database. Here are the Snort SIDs for this threat:

·       Snort 2: 64632, 64633, 64630, 64631
·       Snort 3: 301157, 301156

Top security headlines of the week

· The Bluetooth “backdoor” that wasn’t. The original title, “Undocumented backdoor found in Bluetooth chip used by a billion devices,” was updated to a more precise description: “Undocumented commands found in Bluetooth chip used by a billion devices.” (Bleepingcomputer) (Darkmentor)

· A ransomware gang leveraged a vulnerable IP camera in an attack, effectively circumventing Endpoint Detection and Response (EDR). The “Mr. Monk” in me wants to point out that while the article title says “webcam” — which, in my definition, is a camera connected internally or via USB to a PC — the article discusses Linux and SMB shares, which suggests it is an IP camera.  (Bleepingcomputer)

· Massive alleged cyber attack against X (formerly Twitter). This past Monday, a series of outages left X unavailable for thousands of users for at least one hour. Not all details are currently known to the public. (Securityweek)

Can’t get enough Talos?

Cascading Style Sheets (CSS) are ever present in modern day web browsing, however it’s far from their own use. Read our latest blog on Abusing with style: Leveraging cascading style sheets for evasion and tracking.

Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. Read the full blog here: Unmasking the new persistent attacks on Japan

Upcoming events where you can find Talos

· DEVCORE (March 15, 2025) Taipei, Taiwan. Ashley Shen will give a talk on exploit hunting.
· RSA (April 28-May 1, 2025)  San Francisco, CA
· PIVOTcon (May 7-May 9, 2025) Malaga, Spain. Ashley Shen and Vitor Ventura will present “Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling.”
· CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 
· Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f
MD5: 7abf12ab98f4cbed63228bba977cea7e
VirusTotal:  https://www.virustotal.com/gui/file/9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f
Typical Filename: pdfzonepro.msi
Claimed Product: N/A
Detection Name: W32.9C60480AFB-95.SBX.TG

 SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

Cisco Talos Blog – ​Read More