Know thyself, know thy environment

Know thyself, know thy environment

Welcome to this week’s edition of the Threat Source newsletter. 

This week, I’m coming to you from Cisco Live in San Diego where I’ve just talked to a room that some of you may have been in, so writing this feels a bit surreal. It’s really hard to try and write a cogent newsletter with all that’s happening in the world, some directly outside my door. To purposefully butcher Charles Dickens, “It was the worst of times, it was the even worse times.” Nevertheless, I’m persisting.  

I’ve had great conversations with so many smart people this week, but I was reminded once again that the most important tool you can leverage in protecting and securing your environment is knowing your environment and knowing yourself.  

Knowing your environment can and should be tooled and processed so that it can be repeatable. Continuing to know your environment requires constant vigilance and effort. Knowing yourself requires a level of introspection that is hard — and honestly, sometimes I just lift the rug and sweep my issues under it when I can’t tackle that negativity.  

I’ll give you an excellent example: every single thing I write would get flagged as AI. Everything. Why? I use an em dash (“—”) for roughly every four words I write — sometimes more, if I let it fly. It’s clear that I could never go back to school successfully, despite the comedy gold that it would produce. For those of you old enough to remember “Back to School” with Rodney Dangerfield, I think you can imagine. I don’t even want to talk about my kludgy code. Sure, it runs, but at what cost? 

So my advice? Do as I say, not as I do. Learn everything about your environment in a repeatable way, with a clear and documented process. Then analyze your own weaknesses in your work — let’s not try to make miracles happen — and identify chances for you to learn, fill the gaps in your skill set and then do it all over again. The bad guys are really good at learning your environment; make it as hard for them as you can. 

The one big thing 

Cisco Talos recently disclosed several vulnerabilities across various software, including catdoc, Parallel, NVIDIA and High-Logic FontCreator. While most vulnerabilities were patched by their respective vendors, catdoc posed an exception as the vendor was unreachable, prompting Talos to provide patches directly.

Why do I care? 

These vulnerabilities highlight risks in widely used software, potentially exposing systems to attacks such as privilege escalation, memory corruption and data leaks. Understanding these risks is crucial to protect your systems. 

So now what? 

If you use these programs, update them immediately with the latest patches to protect yourself.  If you’re on a security team, grab the latest Snort rules to detect possible exploits and keep an eye out for suspicious activity.  And if you’re a developer, take notes from these vulnerabilities to strengthen your own code and avoid similar pitfalls in your projects. Security is everyone’s job!

Top security headlines of the week 

NHS in England calls for blood donors after ransomware attack
The UK’s National Health Service (NHS) is calling for one million donors after a Qilin ransomware attack last summer caused a severe shortage of O-negative blood. (Cybernews

Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack
North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders. (The Register

Google fixes bug that could reveal users’ private phone numbers 
A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. (TechCrunch

SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords 
Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. (The Hacker News)

Can’t get enough Talos? 

Microsoft Patch Tuesday for June 2025 
Microsoft has released its monthly security update, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.

PathWiper targeting Ukrainian critical infrastructure 
Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Learn more.

Upcoming events where you can find Talos 

  • REcon (June 27 – 29) Montreal, Canada 
  • NIRMA (July 28 – 30) St. Augustine, FL 
  • Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 
MD5: 3e10a74a7613d1cae4b9749d7ec93515 
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
Typical Filename: IMG001.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Coinminer::1201 

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2  
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
Typical Filename: AAct.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection   

SHA256 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F 
MD5: 44d88612fea8a8f36de82e1278abb02f 
VirusTotal: https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection
Typical Filename: eicar.com-42987 
Detection Name: eicarTestFile 

Cisco Talos Blog – ​Read More

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

catdoc zero-day vulnerabilities 

Discovered by Ali Rizvi-Santiago of Cisco Talos.    

The catdoc program pulls plain text content from Microsoft Word, Excel, PowerPoint and Rich Text Format files. The vendor was unreachable, Debian will be merging our patches into their distribution. https://github.com/Cisco-Talos/catdoc-talos-fixes/releases/tag/talos-fixes.2025-05

TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 

TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger. 

Parallel integer overflow vulnerability  

Discovered by KPC of Cisco Talos.    

Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.

TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).

  • TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
  • TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
  • TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.

NVIDIA integer overflow vulnerability  

Discovered by Dimitrios Tatsis of Cisco Talos.    

NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard `objdump` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc. 

TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. 

High-Logic out-of-bounds read vulnerability  

Discovered by KPC of Cisco Talos.    

High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts. 

An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. 

Cisco Talos Blog – ​Read More

Integrate Threat Intelligence Feeds via TAXII Protocol 

ANY.RUN’s Threat Intelligence Feeds (TI Feeds) provide security teams with exclusive intel on threats targeting 15,000 companies worldwide. With TAXII protocol, you can safely and easily reinforce your company’s proactive detection with TI Feeds.  

Why Use TAXII for TI Feeds? 

TAXII (Trusted Automated eXchange of Indicator Information) allows for swift and comfortable delivery of threat intelligence feeds. It’s a popular standard acknowledged for its security and usability. 

TI Feeds are available for integration with the support of TAXII protocol. With this combo, you’ll achieve: 

  • Secure and Standardized Data Exchange: TAXII provides a secure framework for transferring threat intelligence.  
  • Customizable Data Delivery: TAXII allows you to tailor the data you receive, whether it’s all available IOCs or specific types like IPs, URLs, or domains

Integrate Threat Intelligence Feeds in your SOC
Start with 14-day trial 



Reach out to us


How ANY.RUN’s TI Feeds Strengthen Businesses’ Proactive Security 

TI Feeds empower your SOC with actionable intelligence to proactively monitor and prevent threats, mitigating breach risks and associated costs.  

With ANY.RUN, MSSP companies get to stand out among competitors by enriching their infrastructure with data on real threats targeting companies across industries. 

Integrate TI Feeds into your system for an easy access to all of their perks: 

  • Detect Threats Early: Access high-quality indicators from threat investigations across 15,000 organizations worldwide to proactively identify and prevent threats from compromising your systems. 
  • Minimize False Positives: The feeds are pre-processed to ensure indicators are reliable and false positive rate is near-zero. 
  • Accelerate Response through Automation: Automatically block malicious IPs, flag related logs, or trigger playbooks based on TI Feeds’ data to reduce manual workload and enable faster reactions.  
  • Gain Better Attack Visibility: Our indicators of compromise come with extensive metadata, as well as links to related sandbox sessions for further analysis. 
  • Simplify Setup: In addition to TAXII protocol support, we offer API and SDK to deliver ANY.RUN’s feeds in a structured, easy-to-use format—STIX or MISP

TI Feeds & TAXII: How It Works 

Integration through TAXII protocol is available for all users with paid plans. You can easily setup TI Feeds as a TAXII endpoint in their system, be that SIEM, TIP, EDR/XDR, NGFW, or other Security Operations solutions.  

Upon connection to ANY.RUN’s TAXII server, your system automatically receives fresh threat intelligence. Check out what our feeds look like by downloading a sample in STIX or MISP format.  

For full access to TI Feeds, purchase or get a 14-day trial

After that, your infrastructure will be enriched with uniquely sourced threat data, adding to its efficiency. Feeds will be ready for further processing: you can determine correlations, launch playbooks, and more. 

Contact us to get help with configuration and integration 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Try ANY.RUN’s solutions to give your security operations a boost → 

The post Integrate Threat Intelligence Feeds via TAXII Protocol  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CVE-2025-33053: RCE in WebDAV | Kaspersky official blog

On June 10, as part of its Patch Tuesday, Microsoft, among other problems, fixed CVE-2025-33053 — an RCE vulnerability in Web Distributed Authoring and Versioning (WebDAV, an extension of the HTTP protocol). Microsoft doesn’t categorize it as critical, but three facts suggest it’s worth installing the corresponding patches asap:

  • CVE-2025-33053 has a fairly high rating on the Common Vulnerability Scoring System scale — 8.8;
  • its exploitation has been detected in the wild;
  • Microsoft decided to patch not only modern Windows, but also a number of outdated, no longer supported versions of its operating system.

What is WebDAV and what is the CVE-2025-33053 vulnerability?

At some point in the distant internet-past, users of the net required a tool that would allow them to collaborate on documents and manage files on remote web servers. In answer, a special working group created DAV — a set of extensions to the HTTP protocol. Support for the new protocol was implemented in the default Windows browser — Microsoft Internet Explorer.

Fast-forward to the beginning of 2023, and Internet Explorer was finally decommissioned, but as we’ve already written, the browser is still very much alive. A number of its mechanisms are still used in third-party applications, as well as in the new Microsoft Edge browser. Therefore, attackers continue to search for vulnerabilities that can be exploited using IE. CVE-2025-33053 is one of them. It allows attackers to execute arbitrary code if the victim clicks on a link to a WebDAV server they control. That is, all that is required of the attackers is to convince the victim to follow the link. The exact operating principle of the exploit for this vulnerability has not yet been publicly disclosed, but according to the Check Point researchers who initially found CVE-2025-33053, exploitation occurs through manipulations with the working directory of a “legitimate Windows tool”.

Who can exploit CVE-2025-33053, and how?

Check Point researchers discovered exploitation of this vulnerability in attacks attributed to the Stealth Falcon APT group — known to be operating in the Middle East. However, it’s obvious that after the publication of the research and the update to the system itself, other cybercriminals will try to reverse engineer the patch and create their own exploits as soon as possible. The ease of exploitation and prevalence of the vulnerable browser makes CVE-2025-33053 an ideal candidate for malware delivery — especially ransomware.

How to stay safe?

Windows operating systems should be updated as soon as possible. Microsoft has released patches even for the outdated Windows Server 2012 and Windows 8 (you can find them in the description of CVE-2025-33053). In addition, we recommend using reliable security solutions on all devices used for internet access — they’re able to detect both attempts to exploit vulnerabilities and the launch of malicious code. It also makes sense to regularly raise employee security awareness (for example, using the Kaspersky Automated Security Awareness Platform), because most modern cyberattacks begin with emails or other messages from attackers — who most often use fairly standard tricks.

Kaspersky official blog – ​Read More

5 Key Ways Threat Intelligence Feeds Drive SOC Performance  

Modern Security Operations Centers (SOCs) face an unprecedented challenge: defending against an ever-evolving threat landscape while managing alert fatigue, resource constraints, and the need for rapid response times. The integration of high-quality Threat Intelligence (TI) feeds has proven itself as a force multiplier for SOC teams, transforming reactive security postures into proactive defense strategies. 

ANY.RUN’s Threat Intelligence Feeds exemplify how comprehensive, contextual threat data can enhance SOC performance across multiple operational dimensions. By providing real-time indicators of compromise (IOCs), behavioral insights, and detailed malware analysis, these feeds address core challenges of security teams. 

Quick Recap: How Threat Intelligence Feeds Help SOCs 

Core SOC Challenges and TI Feeds Solutions
Delayed threat detection 
  • Deliver real-time IOCs for instant alerts
  • Correlate network traffic with known threats
  • Early alerts before internal tools trigger
Slow, manual incident response 
  • Automate IP/domain blocking
  • Trigger SOAR response playbooks
  • Flag related activity in SIEMs
  • Lower MTTR with seamless integrations
Limited visibility into attack context 
  • Linked sandbox sessions provide IOC metadata (malware family, behavior) and TTPs
  • Enable proactive rule updates
Analyst overload and burnout 
  • Filter out false positives with curated data
  • Prioritize alerts with risk scores
  • Free analysts for strategic tasks
High business risks 
  • Highlight critical vulnerabilities
  • Allow better prioritization
  • Faster detection/mitigation reduces dwell time

Further, we shall elaborate on the role of indicator feeds in optimizing main performance vectors of security teams on the example of ANY.RUN’s Threat Intelligence Feeds. 

1. Early Detection of Incidents  

Early detection is critical to preventing full-scale breaches. Threats should be identified before they can establish persistence or cause significant damage. Traditional signature-based detection systems often lag behind emerging threats, creating dangerous gaps in coverage during the critical early stages of an attack. 

ANY.RUN’s TI Feeds offer real-time access to a continuous stream of fresh Indicators of Compromise (IOCs) gathered from thousands of interactive malware sandbox sessions daily. These indicators include malicious IP addresses, domain names, and URLs that can be quickly integrated into SIEM platforms and security tools.  

What makes ANY.RUN’s TI Feeds Stand Out
  • Based on sandbox investigations of threats across 15,000 organizations
  • Unique indicators from Memory Dumps, Suricata IDS, and internal threat categorization systems
  • Verified malicious IPs, domains, and URLs, updated every few hours

Early detection is particularly powerful when combined with automated threat hunting workflows. SOC analysts can configure their systems to automatically query historical logs and network traffic against newly received indicators to uncover ongoing attacks. This retrospective analysis capability means that even if a threat initially bypasses existing controls, it can be identified and contained as soon as relevant intelligence becomes available.  

By reducing the Mean Time to Detection (MTTD) organizations can significantly limit the potential impact of security incidents. 

Request access to Threat Intelligence Feeds
and start improving SOC KPIs 



Reach out to us


2. Faster Threat Mitigation 

In cybersecurity, minutes can mean the difference between a contained incident and a major breach. ANY.RUN’s Threat Intelligence Feeds enable automated response mechanisms that dramatically reduce the time between threat identification and mitigation actions. 

The feeds’ structured data format allows for seamless integration with Security Orchestration, Automation, and Response (SOAR) platforms and other security tools. When new malicious indicators are received, automated playbooks can immediately trigger protective actions such as blocking malicious IP addresses at firewalls, quarantining suspicious files, or isolating potentially compromised endpoints. The reduction in manual intervention not only accelerates response times but also ensures consistent execution of response procedures regardless of analyst availability or expertise level. 

How SOCs Can Integrate ANY.RUN’s TI Feeds

Test TI feeds for the capabilities and integration options

The feeds also support threat hunting automation, where new indicators automatically trigger searches across historical data, network logs, and endpoint telemetry. Automatization results in a significant reduction in Mean Time to Response (MTTR), often cutting response times from hours to minutes. This acceleration is particularly critical for threats that exhibit rapid lateral movement or data exfiltration capabilities. 
 
You can request an ANY.RUN’s TI Feeds sample with preferred settings and get assistance with your integration:  

3. Better Attack Visibility and Proactive Defense  

Understanding the full scope and context of cyber threats is essential for effective defense. ANY.RUN’s Threat Intelligence Feeds provide SOC teams with actionable visibility into campaigns through metadata and direct links to detailed sandbox analysis sessions.  

Each indicator of compromise comes enriched with contextual information, including malware family classification, detection timestamps, related artifacts, and campaign attribution data. This metadata enables analysts to know not just what to block, but why the threat is significant, and how it fits into broader attack patterns.  

How Sandbox Enriches TI Feeds
  • Indicators come with extensive metadata
  • Related sandbox sessions show threats’ execution and TTPs
  • IOCs are linked to specific threats

The integration with ANY.RUN’s Interactive Sandbox provides an additional layer of research depth. When investigating an alert triggered by a threat intelligence indicator, analysts can access the complete sandbox session that generated the IOC, observing the malware’s behavior in real-time.   

For example, let’s view Virlock ransomware detonated in the Sandbox:  

A malware analysis session with network activity, processes, and other data 

By understanding the tactics, techniques, and procedures (TTPs) associated with specific threat actors, SOC teams can implement preventive measures and monitoring strategies tailored to anticipated attack vectors.

4. Reduced Analyst Fatigue  

An average SOC handles 11,000 alerts daily, with only 19% worth investigating, per the 2024 SANS SOC Survey. Analysts get routinely overwhelmed by high volumes of security alerts, many of which prove to be false positives. ANY.RUN’s Threat Intelligence Feeds address this challenge by improving alert quality and providing the context necessary for rapid triage and decision-making.  

The contextual metadata and sandbox links accompanying each indicator further reduce investigation time by providing analysts with immediate answers to common questions. The sandbox integration is particularly helpful for junior analysts who may lack the skills and experience required for advanced malware analysis.  

The effect is a more sustainable SOC workflow where analysts can focus on high-value activities such as threat hunting, incident response, and security architecture improvements rather than being overwhelmed by alert triage and manual investigation tasks. 

5. Risk Reduction  

The ultimate goal of any security operation is risk reduction, and ANY.RUN’s Threat Intelligence Feeds contribute to this objective through mechanisms that address both immediate tactical threats and overall security posture.  

At the tactical level, the feeds enable rapid identification and mitigation of active threats, directly reducing the organization’s exposure to compromise and impact from successful attacks. The automated response mechanisms fueled by TI Feeds ensure that threats are contained before they can achieve their objectives, whether those involve data theft, system disruption, or lateral movement.  

The proactive defense capabilities enabled by ANY.RUN’s Threat Intelligence Feeds also contribute to long-term risk reduction by helping organizations stay ahead of emerging threats. Rather than simply responding to attacks after they occur, SOC teams can implement preventive measures based on observed attack trends and threat actor innovations.  

How to Integrate Threat Intelligence Feeds from ANY.RUN 

You can test ANY.RUN’s Threat Intelligence Feeds in STIX, MISP, and TAXII formats by requesting a trial on this page

  • Spot and block attacks quickly to prevent disruptions and damage.  
  • Keep your detection systems updated with fresh data to proactively detect emerging threats.   
  • Handle incidents faster to lower financial and brand damage.   

ANY.RUN also runs a dedicated MISP instance that you can synchronize your server with or connect to your security solutions. 

Conclusion 

ANY.RUN’s Threat Intelligence Feeds help SOCs transform into proactive, intelligence-driven operations. The combination of real-time IOCs, rich metadata, and sandbox integration provides SOC analysts with the framework they need to protect their organizations effectively. 

Businesses implementing TI feeds can expect measurable improvements in key performance indicators including Mean Time to Detection, Mean Time to Response, false positive rates, and analyst retention. More importantly, they can expect a fundamental shift from reactive to proactive security operations, with improved resilience against both current and emerging threats. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request trial of ANY.RUN’s services to test them in your organization → 

The post 5 Key Ways Threat Intelligence Feeds Drive SOC Performance   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities

Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” 

In this month’s release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven “critical” entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate. 

CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is “less likely.” 

CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is “less likely”.  

CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is “more likely”.  

CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely.” 

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are “use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a “type confusion” vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim’s machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is “low,” and exploitation is “more likely.” For CVE-2025-47953, the attack complexity is “low,” and exploitation is “less likely.”  

Microsoft listed two critical elevations of privilege vulnerabilities. 

CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely.”  

Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.  

Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that exploitation is “more likely:” 

  • CVE-2025-32713 – Windows Common Log File System Driver Elevation of Privilege Vulnerability. 
  • CVE-2025-32714 – Windows Installer Elevation of Privilege Vulnerability. 
  • CVE-2025-47962 – Windows SDK Elevation of Privilege Vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.  

Cisco Talos Blog – ​Read More

How SOC Teams Save Time and Effort with ANY.RUN: Action Plan 

Recently, we hosted a webinar exploring the everyday challenges SOC teams face and how ANY.RUN helps solve them. From low detection rates to alert fatigue, poor coordination, and infrastructure overhead, our team outlined a practical action plan to tackle it all. 

Missed the session? Here are the key highlights in this quick recap. 

🔔 Quick reminder
Try ANY.RUN’s services with 14-day trial
to improve your SOC metrics 



Get 14-day trial


1. Increasing Detection Rate 

Challenge: Malware is getting trickier. Fileless techniques, multi-stage payloads, and threats that hide behind user interactions are slipping past traditional tools. This leaves SOC teams blind to critical risks. 

Solution: ANY.RUN tackles this head-on by giving analysts a fully interactive sandbox environment. You don’t just watch malware from a distance but also engage with it like a real user. Open files, enter passwords, click suspicious links, whatever it takes to trigger the full execution chain. 

One real-world case shows exactly why this is so important. 

View analysis session here 

Fake document with malicious PDF displayed inside ANY.RUN sandbox 

A phishing email came through with an SVG attachment and a password hidden in the message body. Opening the SVG revealed a fake document with a link to download a PDF. That triggered a download of a ZIP archive; one that could only be extracted by manually entering the earlier password. 

Entering password hidden in the message body 

Inside we found an executable file. When run, ANY.RUN flagged it immediately as AsyncRAT, a remote access trojan capable of spying on and controlling infected systems. 

AsyncRAT detected by ANY.RUN sandbox 

Without interactivity, none of this would have unfolded. A fully automated tool wouldn’t have clicked the link, copied the password, or opened the archive. The attack would’ve gone undetected. 

More importantly, the sandbox gave the team: 

  • Network activity visibility, helping block C2 communication before data exfiltration 
  • Malware configuration (MalConf), revealing hardcoded domains and other indicators 

Why it matters for business
  • Higher detection rates: Fewer blind spots and stronger cyber resilience
  • Cost efficiency: Avoiding costly breaches by stopping threats early
  • Proactive threat mitigation: Addressing vulnerabilities before attackers exploit them

2. Accelerating Alert Triage and Incident Response 

Challenge: When a threat gets past initial defenses, every second counts. The longer it takes to triage an alert or respond to an incident, the higher the risk of malware spreading, systems being compromised, and costly damage being done. 

Solution: ANY.RUN provides real-time visibility into malware behavior; no waiting for the sandbox session to end. SOC teams can spot malicious activity the moment it begins, with some malware families being identified even in under 40 seconds. 

View analysis session here 

Detection of RedLine Stealer in 18 seconds 

In one case, a suspicious executable was submitted. Within just 18 seconds, ANY.RUN identified it as RedLine Stealer, an infostealer known for targeting credentials and sensitive data. 

That rapid detection enabled the security team to take immediate action, cutting off further exposure and containing the threat before it spread. 

Why it matters for business
  • Minimized risk exposure: Stop malware early, before it spreads across systems
  • Operational efficiency: Reduce alert fatigue and free up analyst resources
  • Faster, more reliable incident handling: Protect brand trust and stakeholder confidence

3. Streamlining Training and Onboarding

Challenge: Most security tools come with a steep learning curve. New hires, especially junior analysts, often need months of training before they can contribute meaningfully. That slows down onboarding and increases your team’s dependency on a handful of experts. 

Solution: ANY.RUN’s intuitive interface and interactive analysis experience make it a powerful learning environment even for less experienced team members. 

New analysts work directly with real threats in a controlled, visual sandbox environment. Features like Script Tracer and AI Summary break down even complex threats into clear, understandable steps. 

View analysis session here 

In one case, a junior analyst explored a sample involving malicious scripting. By opening the Script Tracer, they followed each function call and saw how the attack unfolded line by line. No guesswork. No external tools. 

And with the AI Summary, they quickly reviewed the session’s key events, including dropped files, command-line activity, and network behavior, all explained in plain terms. 

AI Summary provided by ANY.RUN sandbox 

What the sandbox offered for junior specialists: 

  • Hands-on practice with real malware builds confidence and accelerates learning 
  • Step-by-step script analysis simplifies complex attacks into teachable moments 
  • Automated summaries make onboarding easier and less resource-intensive 

Why it matters for business
  • Skilled workforce: Accelerate team readiness and reduce reliance on senior staff
  • Cost-effective training: No need for expensive onboarding and training
  • Faster onboarding: New hires start contributing sooner, without draining resources

4. Addressing Infrastructure Maintenance 

Challenge: Maintaining local infrastructure for malware analysis can be a huge drain on time, budget, and IT resources. From server upkeep to licensing and hardware limitations, scaling your operations becomes a logistical challenge, especially across global or hybrid teams. 

Solution: ANY.RUN eliminates that overhead with a fully cloud-based sandbox platform. There’s no setup, no hardware dependency, and no waiting around for installations or updates. Everything runs in the browser. 

Your team can launch pre-configured virtual machines (Windows, Linux, or Android) in seconds, whether they’re in the office or halfway across the world. There’s no cap on the number of analyses, and you can scale instantly by adding users without touching infrastructure. 

In fact, one of our enterprise clients, Expertware, reduced their IOC extraction and investigation turnaround time by over 50% after switching to ANY.RUN, all without deploying a single server. 

Read interview details here: How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis 

Key benefits of the sandbox: 

  • Zero setup required: Fully browser-based, ready to go from day one 
  • Unlimited analysis: No hardware limits, no bottlenecks 
  • Pre-configured VMs: Supports cross-platform investigations (Windows, Linux, Android) 

Why it matters for business
  • Cost savings: No on-prem infrastructure or licensing overhead
  • Scalability: Add new users instantly without extra drag
  • Faster time to value: Onboard, analyze, and act faster than traditional setups

5. Improving Team Coordination 

Challenge: Even the best tools fall short when teams can’t work together efficiently. In many SOCs, communication gaps between analysts, team leads, and managers lead to duplicated work, missed alerts, and delays in decision-making. 

Solution: ANY.RUN’s built-in Teamwork Mode is designed to make collaboration effortless no matter if your team works in the same office or across time zones. You can create different teams, assign roles, manage access, and track progress, all from a single interface. 

Team management in ANY.RUN 

You also get full control over privacy settings. Make all submissions private by default or customize access levels for each user based on their role. That means sensitive data stays protected without compromising collaboration. 

Learn more about the Teamwork Mode here: ANY.RUN Teamwork Mode Updates 

Why it matters for business
  • Better visibility for managers: Monitor investigations without slowing the team down
  • More structure across teams: Define roles and workflows clearly
  • Improved security posture: Ensure sensitive data is only seen by the right people 

6. Freeing up Analysts for More Important Tasks

Challenge: Manual analysis takes time, and relying on human input for every alert doesn’t scale. But the alternative, fully automated tools, often miss threats that require user interaction to activate, like phishing pages behind CAPTCHAs or payloads inside password-protected files. 

Solution: ANY.RUN bridges that gap with Automated Interactivity, a unique feature that emulates real user behavior inside the sandbox. It clicks, types, solves CAPTCHAs, and opens files, just like a real analyst would, ensuring full detonation of the threat and speeds up investigations. 

That means even in automated mode, your team doesn’t miss threats that rely on tricking the user into doing something first. 

View automated interactivity session here 

In this session, the sandbox was given a phishing URL. It required a CAPTCHA check to reach the final malicious page; something most tools would skip. But with Automated Interactivity, ANY.RUN solved the CAPTCHA, reached the phishing content, and flagged the threat immediately. 

CAPTCHA solved with Automated Interactivity 

Why it matters for business
  • Scalable analysis workflows: Handle more alerts without expanding your team
  • Lower operational costs: Less time per case, more automation without blind spots
  • Consistent detection quality: Get the same deep results whether done manually or programmatically

7. Gaining Better Visibility into Emerging Threats 

Challenge: One of the biggest challenges for SOCs today is staying ahead of threats. When you don’t have enough intel, or worse, outdated intel, you’re forced to react instead of prepare. That slows down your defenses and increases your exposure. 

Solution: ANY.RUN’s Threat Intelligence Lookup (TI Lookup) gives your team access to a constantly updated database of real-world Indicators of Compromise (IOCs), Action (IOAs), and Behavior (IOBs), collected from hundreds of thousands of sandbox analyses performed by SOC teams across 15,000 businesses. 

With over 40 filterable parameters, your team can create advanced queries to uncover patterns, spot repeat offenders, and enrich investigations with up-to-date threat data. 

Let’s have a look at the following TI Lookup query:  

threatName:”telegram” AND (threatName:”phishing” OR threatName:”possible-phishing”) AND (domainName:”*.glitch.me”) 

This query helps to collect intel on phishing threats that host malicious pages on the glitch.me domain and use Telegram for exfiltration. 

After hitting enter and see fresh threat samples and indicators that match our request. This includes IPs, URLs, domains, and links to sandbox analyses of actual phishing attacks. 

TI Lookup query and results

That’s how in seconds we gained over a hundred new indicators that can enrich our defense infrastructure.  

By having just one or two artifacts, you can quickly connect them to the threats, attacks, and campaigns behind them.  

Enrich threat investigations with TI Lookup
Get 50 trial requests to collect your first intel 



Try now for your SOC


Our database is constantly updated with unique indicators because the data comes from the latest sandbox analyses globally. 

As a result, your team gains: 

  • Fast, flexible search to find IOCs by threat name, behavior, domain, file type, and more 
  • Fresh, actionable data sourced from real sandbox detonations globally 
  • Subscription-based monitoring to stay informed on new threats matching saved queries 

ANY.RUN’s TI Lookup turns passive intel into an active advantage, giving your team the context they need to protect your business from evolving threats. 

Why it matters for business
  • Proactive defense: Equip your team with the intel they need to strengthen defenses before an attack happens, not after
  • Continuous monitoring: Subscribe to threat patterns and stay informed about evolving risks specific to your environment
  • Faster triage and response: Quickly link isolated indicators to known threats and campaigns, helping your team respond with precision and speed

8. Expanding Threat Monitoring and Detection Capabilities 

Challenge: Many detection systems rely on outdated or generic threat feeds. The result is missed attacks, wasted time chasing false positives, and a growing gap between what your team sees and what attackers are actually doing in the wild. 

Solution: ANY.RUN’s Threat Intelligence Feeds (TI Feeds) deliver fresh, high-confidence IOCs straight from live sandbox investigations submitted by over 15,000 companies around the world. These feeds include metadata-rich indicators linked to real execution behavior and attack chains. 

Test and integrate TI Feeds from ANY.RUN  

You can test TI Feeds with a free demo sample 

The feeds are available in widely supported formats (STIX, MISP) and integrate via the TAXII protocol, making it easy to plug directly into your SIEM, SOAR, or XDR platform. 

Request access to Threat Intelligence Feeds
and start improving SOC KPIs 



Reach out to us


What your team gains: 

  • Enriched detection systems supplemented with data from active malware campaigns 
  • Unique indicators for identifying emerging malware pulled from memory dumps, Suricata alerts, and internal categorization 
  • Context-aware intel with IOCs tied to sandbox sessions, giving full visibility into how the threat behaves, which is essential for timely and effective incident response 

Why it matters for business
  • Improved detection rates: Expand your visibility with threat data that reflects what attackers are doing right now, not last quarter
  • Competitive advantage: Stay ahead of emerging threats, build resilience, and position your organization as security-forward
  • Proactive security: Fresh, actionable feeds allow your team to take preventive measures, reducing the chances of successful attacks before they even begin

Solve Your SOC Challenges with ANY.RUN 

Security teams today are under constant pressure to detect more, react faster, and do it all with limited resources. ANY.RUN is built to help modern SOCs meet those demands with speed, precision, and clarity. 

ANY.RUN helps your team reduce effort, increase impact, and stay ahead of evolving threats with the tools they actually need. 

Ready to see the difference for yourself? 

Start your ANY.RUN trial to see how our services can contribute to your security→ 

About ANY.RUN 

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.  

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency. 

The post How SOC Teams Save Time and Effort with ANY.RUN: Action Plan  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Kaspersky study looks at how cybercriminals use games, TV shows, and anime to target Gen Z | Kaspersky official blog

Gen Z, or “Zoomers”, are those born between ~1997 and 2012. That’s a 15-year age gap between the oldest and youngest. So what could they possibly have in common? Well, every member of Gen Z is a digital native. They barely remember a time before computers, smartphones, and social media. More than any other generation, Gen Z loves games (especially our own — Case 404 — we hope!), TV shows, and movies. Sometimes, they even shape their identities by constantly connecting with their favorite characters. Naturally, this level of immersion makes them a prime target for malicious actors.

Kaspersky experts have released two reports detailing how cybercriminals target Gen Z through their love of games, movies, TV shows, and anime. Check out the full versions of the first and second reports to dive deeper.

How gamers get attacked

In the one-year period from April 1, 2024, we recorded at least 19 million attempts to distribute malware disguised as games popular with Gen Z. The top three games targeted by these attacks were GTA, Minecraft, and Call of Duty, together accounting for a staggering 11.2 million attempts. So, why are these particular games at the top of both gamers’ and cybercriminals’ lists? We just might know the reason. They’re replayable; that is, players can dive back in any time and still get a fresh experience. Besides, these titles boast massive online communities. Players are constantly creating content, making mods, and searching for cheats and cracked versions.

One of the most common threats facing Gen Z gamers is phishing — where cybercriminals impersonate a trusted entity and tempt players with promises of free in-game rewards to lure them into sharing personal data. Enticing trade offers and easy ways to earn money are some of the most popular tricks used against gamers.

We uncovered a phishing site that looked eerily similar to a legitimate Riot Games campaign. The campaign aimed to blend two different universes: the game Valorant and the animated series Arcane. Players were invited to “spin the wheel” for a chance to win exclusive new skins. In reality, gamers who participated in this “contest” essentially handed over their gaming accounts, banking details, and phone numbers to third parties. Of course, they received no skins in return.

A beautiful background and recognizable characters — what more do you need to fall for a scam?

A beautiful background and recognizable characters — what more do you need to fall for a scam?

But it’s not just about scams. In November 2024, our experts from the Global Research and Analysis Team (GReAT) uncovered a campaign where attackers were distributing the Hexon stealer disguised as game installer files. Once installed, this malware attacked gaming platforms; for example, it could extract user data from Steam. On top of that, Hexon targeted messaging apps like Telegram and WhatsApp, and other social media platforms, such as TikTok, YouTube, Instagram, and Discord.

These fake installers flooded gaming forums, chats on Signal and Telegram, Discord channels, and popular file-sharing sites. The cybercriminals promoted the Hexon stealer using a malware-as-a-service model, where some malicious actors provide malware to others — often less tech-savvy ones — for a fee.

Example of attackers' message in a Discord channel

Example of attackers’ message in a Discord channel

Interestingly, a short while later, the creator of Hexon announced a rebrand. The stealer was now called “Leet”, and was offered at a 50% discount. Unlike its predecessor, the updated version can bypass sandboxes by checking the infected device’s public IP address and system specifications. If the stealer detects signs of being in a virtual machine, it shuts down immediately.

How movie, TV show, and anime fans get attacked

We dug into some data provided by the Kaspersky Network Security (KSN) — our global threat intelligence network which processes cyberthreat information from every corner of the world. We analyzed the data for the same one-year period starting April 1, 2024, and here’s what we found:

  • Netflix was dangled as bait in about 85 000 attacks. That’s nearly 233 times a day.
  • Gen Zers aren’t the only ones passionate about anime. Cybercriminals are big fans too, with 250 000 attacks recorded during the reporting period.
  • The total number of leaked streaming-service accounts exceeded seven million.

When it comes to the most exploited streaming platforms, alongside Netflix, we found Amazon Prime Video, Disney+, Apple TV+, and HBO Max at the top of the list. Scammers used these brand names in their campaigns throughout the year, with no significant peaks or troughs in popularity. Mostly, they used a classic approach: sending phishing links to fake websites while pretending to represent a streaming platform. The pretexts, however, varied. In some instances, attackers would prompt users to renew their subscriptions or update payment details — only to direct them to a fake site to do so. Such emails often mimicked the streaming service’s official style, making it easy to miss the red flags.

Phishing website imitating the official Netflix page

Phishing website imitating the official Netflix page

Beyond just harvesting personal data, these bad actors also distributed various malware. RiskTool was a big one, accounting for around 80% of all attempts. While not malicious on its own, it’s often used in conjunction with other threats, such as miners, helping them conceal their presence in the infected system.

Many of the attacks were designed to steal users’ personal information. We uncovered roughly seven million compromised accounts across Netflix, Amazon Prime Video, Disney+, Apple TV+, and HBO Max. Stolen accounts are typically used by cybercriminals to spread phishing links and malware to more users, or they’re sold off to other malicious actors at a low price.

Anime fans weren’t spared by the digital villains, either. Unsurprisingly so — recent data shows that over 65% of Gen Z watch anime. To gauge just how often attackers targeted fans of Japanese animation, we focused on five popular anime titles: Naruto, One Piece, Demon Slayer, Attack on Titan, and Jujutsu Kaisen. We recorded over 250 000 attack attempts centered around just these five titles. The undisputed leader? Naruto, with over 114 000 attempts.

How Gen Zers can stay cybersafe

Zoomers should protect themselves in the same way as everyone else who enjoys TV shows, games, movies, and anime, and is generally active online. Here’s a short list of the “golden rules” to help protect your accounts, banking details, and devices from prying eyes.

(If you want to learn more about cybersecurity, try your hand as a detective in our new, free browser-game, Case 404. It features three storylines, each showing what can go wrong when you skip out on proper digital hygiene. But for now, let’s get back to those rules.)

  • Stick to official sources when downloading games, TV shows, and anime. Seriously, ditch the torrents, sketchy third-party sites, and random links strangers share on forums and in chats. And here’s a heads-up: even official game stores can sometimes get infiltrated by malware. To learn more, read Gamers beware: Trojans have invaded Steam.
  • Enable two-factor authentication (2FA) everywhere you can. By the way, tokens can be conveniently stored in Kaspersky Password Manager.
  • Remember the adage about a free lunch? Yep — there’s no such thing. Be skeptical of giveaways of skins, cheats, in-game currency, or supposedly leaked episodes of your favorite TV show or anime.
  • When you’re paying online, only use virtual cards with spending limits. That way, your main bank account stays safe — even if something goes sideways.
  • Use robust security. A security solution will warn you when you’re about to open a phishing website, and help you detect threats in time, even if they’ve already made their way onto your device.
  • Read the full reports on attacks targeting Gen Z. The report on movies, TV shows, and anime is here, and the one on gaming attacks can be found here.

The last, but perhaps one of the most important, rules is to stay one step ahead. Subscribe to our Telegram channel to make your online life safer.

How else attackers target Gen Z as well as other demographic groups:

Kaspersky official blog – ​Read More

Everyone’s on the cyber target list

Everyone's on the cyber target list

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

The one big thing 

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, “PathWiper,” deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine’s infrastructure amid the ongoing war. 

Why do I care? 

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

So now what? 

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

Top security headlines of the week

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch 
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News

Vanta bug exposed customers’ data to other customers 
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch

Data Breach Affects 38K UChicago Medicine Patients 
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector’s system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

Can’t get enough Talos? 

Fake AI installers target businesses. Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

Talos at Cisco Live 2025. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we’ll see you there!

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection 

SHA 256: 
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Detection Name: Simple_Custom_Detection 

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

Cisco Talos Blog – ​Read More

Commercial vs. open-source SIEM: pros and cons | Kaspersky official blog

According to OpenLogic’s “State of Open Source” report, 96% of surveyed organizations use open-source solutions (OSS). Such solutions can be found in every segment of the IT market — including infosec tools. And they’re often recommended for building SIEM systems.

At first glance, OSS seems like a great choice. A SIEM system’s primary function is systematic telemetry collection and correlation, which you can set up using well-known data storage and processing tools. Just gather all your data with Logstash, hook up Elasticsearch, build the visualizations you need in Kibana — and you’re good to go! A quick search will even get you ready-made open-source SIEM solutions (often built on the same components). With SIEMs, adapting both data collection and processing to your organization’s specific needs is always key, and a custom OSS system offers endless possibilities for that. Besides, the license cost is zero. However, the success of this endeavor hinges on your development team, your organization’s specifics, how long your organization is willing to wait for results, and how much it’s ready to invest in ongoing support.

Time is money

A key question — one whose importance is consistently underestimated — is how long it’ll take before your company’s SIEM not only goes live but actually starts delivering real value. Gartner data shows that even a fully-featured, ready-made SIEM takes an average of six months to fully implement — with one in ten companies spending a year on it. And if you’re building your own SIEM or adapting an OSS, you should expect that timeline to double or triple. When budgeting, multiply that time by your developers’ hourly rates. It’s also hard to imagine a full-fledged SIEM being  by a single talented individual — your company will need to maintain an entire team.

A common psychological pitfall is being misled by how fast a prototype comes together. You can deploy a ready-made OSS in a test environment in just a few days, but bringing it up to production quality can take many months — even years.

Skill shortages

An SIEM needs to collect, index, and analyze thousands of events per second. Designing a high-load system, or even adapting an existing one, requires specialized and in-demand skills. Beyond just developers, the project would need highly skilled IT administrators, DevOps engineers, analysts, and even dashboard designers.

Another kind of shortage that SIEM builders have to overcome is the lack of hands-on experience needed to write effective normalization rules, correlation logic, and other content that comes out of the box in commercial SIEM solutions. Of course, even that out-of-the-box content requires significant adjustments, but bringing it up to your organization’s standards is both faster and easier.

Compliance

For many companies, having an SIEM system is a regulatory requirement. Those who build an SIEM themselves or implement an OSS solution have to put in considerable effort to achieve compliance. They need to map their SIEM’s capabilities to regulatory requirements on their own — unlike the users of commercial systems, which often come with a built-in certification process and all the necessary tools for compliance.

Sometimes, management might want to implement an SIEM just to “tick a box”, aiming to minimize the expense. But since PCI DSS, GDPR, and other local regulatory frameworks focus on the actual breadth and depth of SIEM implementation — not just its mere existence — a token SIEM system implemented just for show would fail to pass any audit.

Compliance isn’t something you can consider only at the time of implementation. If, during self-managed maintenance and operation, any components of your solution stop receiving updates and reach end-of-life, your chances of passing a security audit would plummet.

Vendor lock-in vs. employee dependence

The second most important reason for organizations to consider an open-source solution has always been flexibility in adapting it to their specific needs, along with avoiding reliance on a software vendor’s development roadmap and licensing decisions.

Both of these are compelling arguments, and in large organizations they can sometimes outweigh other factors. However, it’s crucial to make this choice with a clear understanding of its pros and cons:

  • OSS SIEMs can be simpler to adjust for unique data inputs.
  • With an OSS SIEM, you maintain complete control over how data is stored and processed.
  • The cost of scaling an OSS SIEM primarily consists of prices for additional hardware and the development of required features.
  • Both the initial setup and ongoing evolution of an OSS SIEM demand seasoned professionals who are well-versed in both development practices and SOC realities. If the team members who best understand the system leave the company or change roles, the system’s evolution might come to a halt. What’s worse, it gradually becomes less functional.
  • While the upfront implementation cost of an OSS SIEM might be lower due to the absence of license fees, this difference often erodes during the maintenance phase. This is because of the continuous, additional expense of qualified staff dedicated solely to SIEM development. Over the long term, the total cost of ownership (TCO) for an OSS SIEM often turns out to be higher.

Content quality

The relevance of detection and response content is a key factor in an SIEM’s effectiveness. For commercial solutions, updates to correlation rules, playbooks, and threat intelligence feeds are typically provided as part of a subscription. They’re developed by large teams of researchers, undergo thorough testing, and generally require minimal effort from your in-house security team to implement. With an OSS SIEM, you’re on your own when it comes to updates: you need to search community forums, GitHub repositories, and free feeds yourself. The rules then require detailed vetting and adaptation to your specific infrastructure, and the risk of false positives ends up being higher. As a result, implementing updates in an open-source SIEM demands significantly more effort from your internal team.

The elephant in the room: hardware

To launch an SIEM, you need to acquire or lease hardware, and depending on the system’s architecture, this expense can vary dramatically. It doesn’t really matter much whether the system is an open-source or proprietary commercial solution. However, when implementing an open-source SIEM on your own, there’s a greater risk of making sub-optimal architectural decisions. In the long run, this translates into persistently high operational costs.

We cover the topic of evaluating SIEM hardware needs in detail in a separate post.

The final tally

While the idea of a fully customizable and adaptable platform with zero licensing fees is highly appealing, there is a significant risk that such a project would demand far more time and effort from your internal development team than an off-the-shelf commercial solution. It may also hinder your ability to quickly adopt new innovations and shift your security team’s focus from developing detection logic and response scenarios to dealing primarily with operational issues. This is why a managed, expert-supported, and well-integrated commercial solution often aligns more closely with a typical organization’s goals of effective risk reduction and predictable budgeting.

Commercial SIEMs enable your team to leverage pre-built rules, playbooks, and telemetry parsers, allowing it to focus on organization-specific projects — such as threat hunting or improving visibility in cloud infrastructure — instead of reinventing and refining basic SIEM features, or struggling to pass regulatory audits with a homegrown system.

Kaspersky official blog – ​Read More