Fresh, actionable IOCs from the latest malware attacks are now available to all security teams using the ThreatQ TIP. ANY.RUN’s Threat Intelligence Feeds integrate seamlessly with the platform, enabling SOCs and MSSPs to boost detection rates, expand threat coverage, and streamline response.  

Here’s how you can benefit from it. 

Real-Time Visibility of the Current Threat Landscape 

As a leading Threat Intelligence Platform (TIP) widely adopted in enterprise SOCs, ThreatQ serves as a powerful indicator management solution, facilitating response. 

ANY.RUN’s Threat Intelligence Feeds connector for ThreatQ provides a real-time stream of fresh, filtered, low-noise network IOC from sandbox investigations of the latest attacks by 15,000+ companies and 500,000+ analysts.  

Follow a guide to implement in your SOC → 

With STIX/TAXII support, TI Feeds can be made a part of SOCs’ security infrastructure without additional custom development or costs, helping them maximize the value of their existing ThreatQ setup. As a result, security teams can achieve: 

• Early Detection: IOCs added to TI Feeds as soon as they emerge from live sandbox analyses, enabling proactive identification of new threats in your SOC. 

• Expanded Threat Coverage: 99% unique indicators from global attacks 
(e.g., phishing, malware) provide visibility into threats traditional feeds miss. 

• Informed Response: Each IOC comes enriched with a link to a sandbox report, showing the full attack being detonated on a live system, providing SOCs with actionable context for fast mitigation. 

• Reduced Workload: Filtered for malicious alerts, cutting Tier 1 analysis time spent on false positives. 

How SOC Teams Can Use TI Feeds: Case Example 

Threat Intelligence Feeds improve and simplify the core operations of security teams, delivering measurable results. Here’s a possible case for using our fresh threat intelligence to spot and contain attacks: 

• Easy Setup for Fast IOC Delivery 
  Connect ANY.RUN’s TI Feeds to ThreatQ via STIX/TAXII in minutes. Choose hourly, daily, or custom schedules to get real-time IOCs from global incidents, keeping your SOC ahead of new threats. 

• Power SOC Analysis with Actionable Data 
  ANY.RUN’s TI Feeds flow into ThreatQ, providing fresh IOCs to analyze alerts, investigate incidents, or enrich SIEM/EDR systems. This speeds up threat detection and strengthens your defense strategy. 

• Streamline Response and Prevention 
  Use ANY.RUN’s IOCs in ThreatQ to automate threat blocking, isolate risks, or enhance playbooks and visualizations. SOC analysts and threat hunters can respond faster and prevent attacks, saving time and reducing breach risks. 

How to Implement  

The connector operates through the STIX/TAXII protocol, allowing clients to configure feed schedules within ThreatQ’s flexible options: hourly, every 6 hours, daily, bi-daily, bi-weekly, or monthly updates. 

ThreatQ leverages ANY.RUN data for real-time or scheduled analysis as a malicious indicator source for alert and incident investigation. With additional connectors, organizations can optionally forward intelligence to their SIEM/EDR systems. 

Workflow Capabilities 

Depending on configuration settings, the system supports: 

• Manual or automated response actions (isolation, blocking, escalation) 

• Investigation enrichment and new rule/playbook configuration 

• Advanced visualizations for analysts and threat hunters 

Quick Setup Guide with 5 Easy Steps: 

1. Open ThreatQ and click My Integrations in the Integrations tab. 

2. Click Add New Integration. 

3. Configure TAXII Connection: go to the tab Add New TAXII Feed, fill out the configuration form.

For detailed information, see ANY.RUN’s TAXII connection documentation.  

4. After adding the TAXII feed, click on the settings button in the created connector card. Set switch to Enabled, and you’re all set up. 

5. After finalizing the configuration, use the retrieved indicators to: 

• Export them to SIEM/SOAR to automate detection and blocking of threats 

• Prioritize high-risk threats to stay focused on the most critical incidents 

• Combine them with data from other sources to gain full visibility into attacks 

• Enrich and accelerate threat hunting and investigations with actionable intelligence 

• Launch playbooks for automated response to threats.  

About ANY.RUN  

ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.   

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.   

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.   

Want to see it in action? Start your 14-day trial of ANY.RUN today →  

The post ANY.RUN & ThreatQ: Boost Detection Rate, Turbocharge Response Speed  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

 A SOC is where every second counts. Amidst a flood of alerts, false positives, and ever-short time, analysts face the daily challenge of identifying what truly matters — before attackers gain ground. 

That’s where alert triage comes in: the essential first step in detecting, prioritizing, and responding to threats efficiently. Done right, it defines the overall effectiveness of a SOC or MSSP and determines how well an organization can defend itself.

Spoiler Alert About Alerts 

Here’s your spoiler for today: good triage starts with great threat intelligence. 

ANY.RUN’s Threat Intelligence Lookup doesn’t just enrich alerts — it rewrites the rules of triage by turning scattered IOCs into instant context. But we’ll get there. Let’s start from the analyst’s desk, where the real noise begins. 

Why Triage Is the Heartbeat of the SOC 

Behind every successful SOC, there’s a smooth triage flow that keeps chaos under control. It’s not just about filtering alerts. It’s about shaping the SOC’s rhythm and resilience. 

When analysts perform triage effectively: 

• They build the first and strongest defense layer against real attacks. 

• They ensure human attention is spent where it matters most. 

• They create a foundation for accurate detection and response metrics like MTTD and MTTR. 

• They make security predictable and measurable, not reactive and random. 

The Daily Puzzle: Making Sense of a Thousand Pings 

The challenge is not a lack of data — it’s too much of it. The toughest barriers to effective triage include: 

• Alert overload — When every ping demands attention, focus becomes the first casualty. 

• False positives — Automation can cry wolf more often than it should. 

• Threat complexity —Today’s attackers employ sophisticated techniques designed to evade detection. 

• Context gaps — An IP is just an IP until you know its story. 

• Time compression — Analysts often have seconds, not minutes, to make judgment calls. 

• Data silos — TI feeds, SIEMs, and sandboxes don’t always talk to each other. 

The result? Valuable threats risk getting buried under a pile of meaningless noise.

Speed, Precision, and the Numbers That Matter 

In triage, speed without accuracy is chaos, and accuracy without speed is luxury. That’s why SOCs track their efficiency through key metrics. KPIs aren’t just for bosses—they’re your triage compass. Track these to benchmark progress and spot bottlenecks: 

 
High-performing SOCs balance speed and certainty by using intelligence enrichment to cut decision time without cutting quality. Those KPIs are not just numbers; they’re the story of how well your triage works. 
 

From Metrics to Meaning: Why Triage Drives Business Outcomes 

Triage might look like a technical process, but its impact is strategic. Understanding how your triage work supports broader business objectives, helps you make better decisions, and communicate your value effectively. 
 
For SOCs and MSSPs, efficient triage is a business differentiator: 

• Fewer false positives mean less analyst burnout and higher client capacity. 

• Faster incident validation means better SLA performance and client trust. 

• Smarter prioritization reduces wasted time and investigation costs. 

• Structured triage data improves long-term visibility and readiness. 

In short, triage is where operational efficiency meets customer confidence — and where the SOC’s reputation is quietly built every day.

Turning Alerts into Insight: How ANY.RUN TI Lookup Changes the Game 

ANY.RUN’s Threat Intelligence Lookup is a comprehensive threat intelligence service that provides instant access to detailed information about files, URLs, domains, and IP addresses. It enables analysts to explore IOCs, IOBs, and IOAs using over 40 search parameters, basic search operators, and wildcards. The data is derived from millions of live malware sandbox analyses run by a community of 15K corporate SOC teams.  

When you encounter suspicious artifacts, you can query the service to obtain behavioral analysis, threat classification, and historical context — all within seconds. 
 
Here’s what it brings to the triage table:  

Instant IOC Enrichment 

Drop in any hash, IP, or domain and see how it ties to known malware families, timelines, and campaigns — in seconds. Let’s take for example a suspicious IP spotted in the traffic:  
 
domainName:”23.ip.gl.ply.gg” 

In an instant, one knows that the domain is linked to several notorious trojans and has been spotted in recent incidents thus being certainly malicious and actively used.  

Real-Time Malware Activity Stats 

The “Malware Threats Statistics” feature spotlights live, active infrastructures, showing which malware families are truly circulating today. 

This tab can also be a source of recent IOCs for monitoring and detection.  

Behavioral Pivoting 

With one click, analysts can move from static enrichment to dynamic ANY.RUN sandbox reports, verifying behavior firsthand. 

Risk-Based Prioritization 

TI Lookup reveals which alerts link to active C2s or payloads, helping teams focus on what’s actually dangerous. 

For example, certain malware families are known to use specific DGA-domains implementations. The following query targets these associations:  

(threatName:”redline” OR threatName:”lumma”) AND domainName:”.” AND destinationIpAsn:”cloudflare” 

Analyst Efficiency Background 

With TI Lookup, teams unlock the next level:  

• Faster Triage: Two-second access to millions of past analyses confirms if an IOC belongs to a threat, cutting triage time. 

• Smarter Response: Indicator enrichment with behavioral context and TTPs guide precise containment strategies. 

• Fewer Escalations: Tier 1 analysts can make decisions independently, reducing escalations to Tier 2. 

Shared Knowledge, Unified Context 

Lookup data can feed SIEMs or case systems, keeping the entire SOC aligned on the same intelligence. For native seamless integrations and connections to SIEM solutions try ANY.RUN’s Threat Intelligence Feeds.

Building Your Expert Triage Practice 

Beyond tools and technology, developing expert triage skills requires deliberate practice and continuous improvement. Here are strategies to enhance your capabilities: 

Develop Pattern Recognition 

Over time, you’ll begin recognizing patterns in threats and false positives. Certain types of alerts consistently prove benign, while others frequently indicate genuine threats. Document these patterns and share them with your team to build collective knowledge. Keep TI Lookup at hand to check alerts in case you are not sure and calibrate your threat radar.  

Create Decision Trees 

For common alert types, develop decision trees that guide your triage process. It’ll reduce cognitive load, freeing mental resources for complex cases. 

Maintain a Knowledge Base 

Document your triage decisions, especially for ambiguous or challenging cases. Include the reasoning behind your decisions and the outcomes.  

Continuous Learning 

The threat landscape evolves constantly, requiring ongoing education. Dedicate time to reading threat intelligence reports, studying new attack techniques, and learning from post-incident reviews. This investment in knowledge pays dividends in improved triage accuracy. 

Take Care of Yourself 

Analyst fatigue is real and impacts your performance. Take regular breaks, maintain work-life balance, and don’t hesitate to ask for support when workload becomes overwhelming. Your long-term effectiveness depends on sustainability, not short-term heroics. 

Conclusion: Mastering the Art and Science of Triage 

Alert triage combines technical skills, analytical thinking, and sound judgment. As an analyst, you’re not just processing alerts. You’re making critical decisions that protect your organization from sophisticated threats while managing resource constraints and time pressure. 

The challenges you face are significant: overwhelming alert volumes, persistent false positives, complex threats, and the ever-present risk of fatigue. However, by understanding these challenges and leveraging solutions like ANY.RUN’s Threat Intelligence Lookup, you can transform your triage practice from reactive firefighting to proactive threat hunting. 

The future of security operations depends on analysts who can work both fast and smart. With the right approach, tools, and mindset, you can meet the challenges of modern threat detection while building a rewarding and sustainable career in cybersecurity. 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows, Linux, and Android systems.  

Combined with Threat Intelligence Lookup and Feeds, businesses can expand threat coverage, speed up triage, and reduce security risks. 

Request trial of ANY.RUN’s services to test them in your organization → 

The post No Threats Left Behind: SOC Analyst’s Guide to Expert Triage  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. One striking detail was how the SVG embeds JavaScript that rebuilds the payload with XOR and then executes it directly via eval() to redirect victims to a phishing page. 

A quick look at the indicators we found showed that nearly all related cases used the same exfiltration addresses. Even more telling: the client-side logic and obfuscation techniques were unchanged across samples, and the communication with the C2 servers was implemented in several steps, with validation of the victim’s current authorization state at each stage. 

All this suggests the threat has a certain level of maturity; it’s not just an unusual delivery method, but something that behaves like a phishing kit. 

To test that hypothesis, measure the scale of the problem, and be able to tell this threat apart from others, we performed a technical analysis of the samples and labeled the family Tykit (Typical phishing kit). Here’s what we found. 

Key Takeaways 

• The first samples appeared in the ANY.RUN’s Interactive Sandbox in May 2025, with peak activity observed in September–October 2025. 

• It mimics Microsoft 365 login pages, targeting corporate account credentials of numerous organizations. 

• The threat utilizes various evasion tactics like hiding code in SVGs or layering redirects. 

• The client-side code executes in several stages and uses basic anti-detection techniques. 

• The most affected industries include construction, professional services, IT, finance, government, telecom, real estate, education, and others across US, Canada, LATAM, EMEA, SE Asia and Middle East. 

Discovery & Pivoting: How ANY.RUN Detected the Threat 

Beginning with the analysis session in the ANY.RUN Sandbox, we quickly found the artifacts needed to expand the context: 

View analysis session 

The same SVG image was used for redirection (SHA256: a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892 

The fake Microsoft 365 login page was hosted on the domain loginmicr0sft0nlineeckaf[.]52632651246148569845521065[.]cc; the URL contained the parameter /?s=, which could be useful for further searching. 

A POST request was sent to the server segy2[.]cc, targeting the URL /api/validate and containing data in the request body. 

Let’s try pivoting this, using a Threat Intelligence Lookup query: 

sha256:”a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892″ OR domainName:”^loginmicr*.cc$” OR domainName:”^segy*” 

The result was encouraging: 189 related analysis sessions, most of them with a Malicious verdict. The earliest analysis containing the searched indicators dates back to May 7, 2025: 

View the earliest session with TYkit 

Bingo! The same activity was observed several months earlier; phishing campaigns featuring URLs with the parameter /?s=, and requests sent to the server segy[.]cc, whose domain name is almost identical to the original one. 

A search using domainName:”^segy.” revealed a few more related domains: 

With several hundred submissions recorded between May and October 2025, all sharing nearly identical patterns, this could hardly be a coincidence. The template-based infrastructure, identical attack scenarios, and a set of URLs resembling C2 API endpoints; could this be a phishing kit? 

It was necessary to analyze the JavaScript code from the phishing pages to see whether there were any recurring elements across samples, how sophisticated the code was, how many execution stages it included, and whether it implemented any mechanisms to prevent analysis. 

Technical Analysis: How the Attack Unfolds 

Let’s look at another analysis session that reproduces the credentials-entry stage; a critical phase, because most phishing kits reveal themselves fully at the point of exfiltration: 

Step 1: SVG as the delivery vector 

The attack vector remains an SVG image that redirects the browser. The image uses the same design, but this time includes a working check-stub that prompts the user to “Enter the last 4 digits of your phone number” (in reality any value is accepted). 

Step 2: Trampoline and CAPTCHA stage 

After the check is submitted, the page redirects to a trampoline script, which then forwards the browser to the main phishing page. 

Example: hxxps://o3loginrnicrosoftlogcu02re[.]1uypagr[.]com/?s= 

The value of the s= parameter is the victim’s email encoded in Base64. 

Next, a page with a CAPTCHA loads; the site uses the Cloudflare Turnstile widget as anti-bot protection.  

It’s worth noting that the client-side code includes basic anti-debugging measures, for example, it blocks key combinations that open DevTools and disables the context menu. 

Step 3: Credential capture and C2 logic 

After the CAPTCHA is passed, the page reloads and renders a fake Microsoft 365 sign-in page. 

At the same time, a background POST request is sent to the C2 server at ‘/api/validate’. The request body contains JSON with the following fields: 

• “key”: a session key, or possibly a “license” key for the phishing kit. 

• “redirect”: the URL to which the victim should be redirected. 

• “email”: the victim’s email address, decoded; present if the s= parameter was populated earlier. 

The logic for sending the request, validating the response, and retrieving the next stage of the payload is implemented in an obfuscated portion of the page; after deobfuscation, it looks like this: 

The C2 server responds with a JSON object that contains: 

• “status”: the C2 verdict — “success” or “error”. 

• “message”: the next stage, provided as HTML. 

• “data”: {“email”}: the victim’s email address. 

The next stage presents the password-entry form. The returned HTML also embeds obfuscated JavaScript that implements the logic for exfiltrating the stolen credentials to the C2 endpoint ‘/api/login’ and for deciding the page’s next actions (for example: show a prompt “Incorrect password”, redirect the user to a legitimate site to hide the fraud, etc.). 

A couple of notable snippets illustrate this behavior: 

The JSON sent in the POST /api/login request contains the following fields: 

• “key”: The key (see above for possible meaning). 

• “redierct”: The redirect URL (note the misspelling in the field name). 

• “token”: An authorization JWT. Notably, the sample token 
  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiZjk5M2NkZS1mOTdiLTQyYTctODcxYy1lOTk1MDgzMmM5NjgiLCJleHAiOjE2OTkxNzc0NjF9.p9-OI0LCYcOjaU1I3TMZTjNSos50txbV3_Mi1jk1u8c 
  decodes to an expired token; the exp claim is 1699177461, which corresponds to Sunday, November 5, 2023, 09:44:21 GMT. 

• “server”: The C2 server domain name. 

• “email”: The victim’s email address. 

• “password”: The victim’s password. 

These fields are then used by the server response to control what the victim sees next and whether additional actions (debugging hooks, logging, further redirects) are triggered. 

The response to the POST /api/login request is a JSON object with the following fields: 

• “status”: “success” | “info” | “error” 

• “d”: “<HTML payload to be shown to the user>” 

• “message”: “Text such as ‘Incorrect password’ when the user enters the wrong password” 

• “data”: { “email”: “<victim email>” } 

Behavior depends on the value of status: 

• “success”: Render the HTML payload found in “d” to the user. 

• “info”: Send a (likely debugging) POST request to /x.php on the C2 server. The logic for this flow is shown in the figure below. 

• “error”: Display an error message (for example, “Incorrect password”). 

At this point the execution chain of the phishing page ends. In sum, the page implements a fairly involved execution mechanism: the payload is obfuscated, there are basic (nonetheless effective) anti-debugging measures, and the exfiltration logic runs through several staged steps. 

Detection Rules for Identifying Tykit Activity 

After analyzing the structure of the Tykit phishing payload and the requests sent during the attack, we developed a set of rules that allow detecting the threat at different stages of its implementation. 

SVG files 

Let’s start with the SVG images themselves. While embedding JavaScript in SVGs can enable legitimate functionality (for example, interactive survey forms, animations, or dynamic UI mockups), it’s frequently abused by threat actors to hide malicious payloads. 

One common way to distinguish benign code from malicious is the presence of obfuscation; techniques that hinder triage and signature-based analysis by security tools and SOC analysts. 

To improve detection rates for this vector (even without attributing samples to a specific actor), monitor for: 

• General signs of code obfuscation, e.g. frequent calls to atob(), parseInt(), charCodeAt(), fromCodePoint(), and generated variable names like var _0xABCDEF01 = … often produced by tools such as Obfuscator.io. 

• Use of the unsafe eval() call, which executes arbitrary code. 

• Script logic that redirects or alters the current document; calls to window.location.* or manipulation of hrefattributes. 

Below is a code snippet taken from an SVG used to load Tykit’s phishing page: 

Domains 

In nearly all cases linked to Tykit, the operators used templated domain names. For exfiltration servers we observed domains matching the ^segy?.* pattern, for example: 

• segy[.]zip 

• segy[.]xyz 

• segy[.]cc 

• segy[.]shop 

• segy2[.]cc 

For the main servers hosting the phishing pages, aside from abuse of cloud and object-storage services, the operators frequently registered domains that appear to be generated by a DGA (domain-generation algorithm). These domains match a pattern like: ^loginmicr(o|0)s.*?.([a-z]+)?d+.cc$ 
 

To collect all IOCs and perform a detailed case analysis, see the TI Lookup query: 

domainName:”^loginmicr?s*.*.cc$” 

C2 & Exfiltration Logic 

Finally, the main distinction between Tykit and many other phishing campaigns is the set of HTTP requests sent to the C2 that determine the next actions and handle exfiltration of victim data. 

After analyzing the JavaScript used across samples, we identified the following requests: 

1. GET /?s=<b64-encoded victim email> 

A series of initial requests used to pass Cloudflare Turnstile and load the phishing page; the s parameter may be empty. 

2. POST /api/validate 

The first C2 request, used to validate the supplied email. The request body contains JSON with fields (see earlier): 

• “key” 

• “redirect” 

• “email” 

The server responds with JSON containing: 

• “status” 

• “message” (next stage, as HTML) 

• “data”: {“email”} 

3. POST /api/validate (variant) 

A second variant of the validation request whose JSON body includes: 

• “key” 

• “redirect” 

• “token” 

• “server” 

• “email” 

The response has the same structure as above. 

4. POST /api/login 

The data-exfiltration request. The JSON body contains: 

• “key” 

• “redierct” (sic — note the misspelling) 

• “token” 

• “server” 

• “email” 

• “password” 

The response JSON instructs how to change the state of the phishing page and includes: 

• “status” 

• “d” (HTML payload to render) 

• “message” 

• “data”: {“email”} 

5. POST /x.php 

Likely a debugging/logging endpoint triggered when the previous /api/login response contains “status”: “info”. The JSON body includes: 

• “id” 

• “key” 

• “config” 

The format of the server’s response to this request was not determined during the investigation. 

Who’s Being Targeted 

We collected several signals about the industries and countries targeted by Tykit. 

Most affected countries: 

• United States 

• Canada 

• South-East Asia 

• LATAM / South America 

• EU countries 

• Middle East 

Targeted industries: 

• Construction 

• Professional services 

• IT 

• Agriculture 

• Commerce / Retail 

• Real estate 

• Education 

• Design 

• Finance 

• Government & military 

• Telecom 

There are no unusual TTPs to call out;  this is another wave of spearphishing aimed at stealing Microsoft 365 credentials, featuring a multi-stage execution chain and the capability for AitM interception. 

Taken together, given the wide geographic and industry spread and the TTPs that match standard phishing kit behavior, the threat has been active for quite some time. It appears to be a typical PhaaS-style framework (hence the name TYpical phishKIT, or Tykit). Time will tell how it evolves. 

How Tykit Affects Organizations 

Tykit is a credential-theft campaign that targets Microsoft 365 accounts via a multi-stage phishing flow. Successful compromises can lead to: 

• Account takeover (email, collaboration tools, identity tokens) enabling persistent access. 

• Data exfiltration from mailboxes, drives, and connected SaaS apps. 

• Lateral movement inside environments where cloud identities map to internal resources. 

• AitM interception of MFA or session tokens, increasing the chance of bypassing second-factor protections. 

• Operational and reputational damage (incident response costs, regulatory exposure, loss of client trust). 

Sectors at higher risk reflect the campaign’s targeting: construction, professional services, IT, finance, government, telecom, real estate, education, and others across US, Canada, LATAM, EMEA, SE Asia and Middle East. 

How to Prevent Tykit Attacks 

Tykit doesn’t reinvent phishing, but it shows how small technical tweaks, like hiding code in SVGs or layering redirects, can make attacks harder to catch. Still, with better visibility and the right tools, teams can stop it before credentials are stolen. 

Strengthen email and file security 

SVG files may look safe but can hide JavaScript that executes in the browser. Ensure your security gateway actually inspects SVG content, not just extensions. Use sandbox detonation and Content Disarm & Reconstruction (CDR) to uncover hidden payloads. The ANY.RUN Sandbox is particularly effective for detonating such files and exposing their redirects, scripts, and network calls in seconds. 

Use phishing-resistant MFA 

Tykit highlights how traditional MFA can be bypassed. Switch to phishing-resistant methods like FIDO2 or certificate-based MFA, disable legacy protocols, and enforce Conditional Access in Microsoft 365. Reviewing OAuth app consents and token lifetimes regularly helps minimize exposure. 

Monitor for key indicators 

Watch for outbound requests to domains such as segy* or loginmicr(o|0)s.*.cc, and POST requests to /api/validate, /api/login, or /x.php. ANY.RUN’s Threat Intelligence Lookup can quickly connect these IOCs to other related phishing activity, giving analysts context in minutes. 

Automate detection and threat hunting 

Configure your SIEM or XDR to alert on suspicious Base64 query parameters (like /?s=) or requests following Tykit’s structure. Integrating ANY.RUN’s Threat Intelligence Feeds ensures new indicators, fresh domains, hashes, and URL patterns, are automatically available for detection. 

Educate and respond fast 

Regular awareness training helps users recognize that even “image” files can trigger phishing chains. If an incident occurs, isolate affected accounts, revoke sessions, and reset credentials.  

Using ANY.RUN’s Interactive Sandbox during incident response can accelerate this process: analysts can safely replay the infection chain, confirm what data was exfiltrated, and extract accurate IOCs within minutes. This shortens MTTR and helps strengthen detections for the next wave of similar campaigns. 

Conclusion: Lessons from a “Typical” Phishing Kit 

We reviewed another sobering example of how phishing remains front and center in the cyber-threat landscape, and how regularly new tools appear to carry out these attacks; each one differing from its predecessors in some way. 

We labeled this example Tykit, examined its technical details, and derived several detection and hunting rules that, taken together, will help detect new samples and monitor the campaign’s evolution. 

Tykit doesn’t include a full arsenal of evasion and anti-detection techniques, but, like its more mature counterparts, it implements AitM-style data interception and methods to bypass multi-factor protections. It also relies on a quasi-distributed network architecture: servers are assigned dynamic domain names and roles are separated between “delivery” and “exfiltration.” 

Empowering Faster Analysis with ANY.RUN 

Investigating campaigns like Tykit can be time-consuming, from detecting a single suspicious SVG to uncovering the entire phishing infrastructure behind it. ANY.RUN helps analysts turn hours of manual work into minutes of interactive analysis. 

Here’s how: 

1. See the full attack chain in under 60 seconds. 
   Detonate SVGs, phishing pages, or any other file type in real time and instantly observe redirects, scripts, and payload execution. 

2. Reduce investigation time. 
   With live network mapping, script deobfuscation, and dynamic IOCs, analysts can skip static triage and focus directly on what matters. 

3. Cut MTTR by more than 20 minutes per case. 
   Quick visibility into C2 communications, credential-capture logic, and data exfiltration flows allows teams to respond faster and with higher confidence. 

4. Boost proactive defense. 
   Using ANY.RUN Threat Intelligence Lookup, SOC teams can pivot from a single domain or hash to hundreds of related submissions, revealing shared infrastructure and campaign patterns to enrich detection rules for catching future attacks. 

5. Strengthen detections with fresh intelligence. 
   Automatically enrich your security tools with new indicators with TI Feeds sourced from live sandbox analyses and community contributions. 

For SOC teams, MSSPs, and threat researchers, ANY.RUN provides the speed, depth, and context needed to stay ahead of campaigns like Tykit, and the next one that follows. 

See every stage of the attack. Strengthen your detections. Try ANY.RUN now 

About ANY.RUN  

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.   

Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.   

Explore more ANY.RUN’s capabilities during 14-day trial→ 

IOCs: 

SHA256 of observed SVG files: 

• ECD3C834148D12AF878FD1DECD27BBBE2B532B5B48787BAD1BDE7497F98C2CC8 

• A7184BEF39523BEF32683EF7AF440A5B2235E83E7FB83C6B7EE5F08286731892 

Observed domains & domain patterns: 

• segy[.]zip 

• segy[.]xyz 

• segy[.]cc 

• segy[.]shop 

• segy2[.]cc 

• ^loginmicr(o|0)s.*?.([a-z]+)?d+.cc$ 

Observed URLs: 

• GET /?s=<b64_victim_email> 

• POST /api/validate 

• POST /api/login 

• POST /x.php 

The post Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

When we interact with artificial intelligence, we often share a significant amount of personal information without giving it much thought. This information can range from dietary preferences and marital status to our home address and even social security number. To ensure the security and privacy of this highly sensitive information, it’s essential to understand exactly what the AI does with your data: where it stores it and whether it uses it for training.

In this post, we take a closer look at the data collection policy of one of the most popular AI apps, ChatGPT, and explain how to configure it to maximize your privacy and security to the extent that OpenAI allows it. This is a long guide — but a comprehensive one.

Table of contents

• What data ChatGPT collects about users
• Why ChatGPT collects data, and whether it’s used for model training
• How you can prohibit ChatGPT from using various types of your data for training
• What ChatGPT remembers about you, and how you can manage AI memory
• How you can enable Temporary Chats in ChatGPT, and why you should use them
• How to configure ChatGPT to work with local apps on your device
• The risks of connecting third-party online services to ChatGPT, and how to disable these connections
• How to protect your ChatGPT account from being hacked

What data ChatGPT collects about you

OpenAI, the owner and developer of ChatGPT, maintains two privacy policies. The specific policy that applies to users depends on the region where that individual registered their account:

• Privacy policy for individuals in the European Economic Area, the United Kingdom, and Switzerland
• Privacy policy for individuals in all other regions

Because these policies are similar, we’ll first cover the common elements, and then discuss the differences.

By default, OpenAI collects an extensive array of personal information and technical data about devices from all ChatGPT users.

• Account information: name, login credentials, date of birth, billing information, and transaction history
• User content: prompts as well as uploaded files, images, and audio
• Communication information: contact details the user provided when reaching out to OpenAI via email or social media
• Log data: IP address, browser type and settings, request date and time, and details about how the user interacts with OpenAI services
• Usage data: information about the user’s interaction with OpenAI services, such as content viewed, features used, actions taken, and technical details like country, time zone, device, and connection type
• Device information: device name, operating system, device identifiers, and the browser used
• Location information: the region determined by the IP address, rather than the exact location
• Cookies and similar technologies: necessary for service operation, user authentication, enabling specific features, and ensuring security; the complete list of cookies and their respective retention periods is available here

What exactly OpenAI does with the data it collects from individual users will be discussed in the next part of this post. Here, we indicate the key difference between the privacy policies for users from the European Economic Area (EEA) and those from other regions. European users have the right to object to the use of their personal data for direct marketing. They may also challenge data processing where the company justifies this by its “legitimate interests”, such as internal administration or improvements to services.

Note that OpenAI’s handling of data for business accounts is governed by separate rules that apply to ChatGPT Business and ChatGPT Enterprise subscriptions, as well as API access.

What OpenAI does with your data, and whether ChatGPT is trained on your chats

By default, ChatGPT can train its models on user prompts and the content that users upload. This policy applies to users of both the free version and the Plus and Pro subscriptions.

For business accounts — specifically ChatGPT Enterprise, ChatGPT Business, and API access — training on user data is disabled by default. However, in the case of the API (the application programming interface that connects OpenAI models to other applications and services — the simplest use case being ChatGPT-based customer support bots), the company provides developers with the option to voluntarily enable data transmission.

OpenAI outlines a comprehensive list of primary purposes for processing users’ personal information:

• To maintain services: to respond to queries and assist users
• To improve and develop services: to add new features and conduct research
• To communicate with users: to notify users about changes and events
• To protect the security of services: to prevent fraud and ensure security
• To comply with legal obligations: to protect the rights of users, OpenAI, and third parties

The company also states that it may anonymize users’ personal data, though it does not obligate itself to do so. Furthermore, OpenAI reserves the right to transfer user data to third parties — specifically its contractors, partners, or government agencies — if such transfer is necessary for service operation, compliance with the law, or the protection of rights and security.

As the company notes on its website: “In some cases, models may learn from personal information to understand how elements like names and addresses function in language, or to recognize public figures and well-known entities”.

It’s important to note that all user data is processed and stored on OpenAI servers in the United States. Although the level of personal information protection may vary from country to country, the company asserts that it applies uniform security measures to all users.

How to prevent ChatGPT from using your data for AI training

To disable the collection of your data within the app, click your account name in the lower left corner of the screen. Select Settings, then navigate to Data controls.

In Data controls, turn off the toggles next to the following items:

• Improve the model for everyone: disabling this option prevents the use of your prompts and uploads (text, files, images) for model training. Turning this off deactivates the two items below it
• Include your audio recordings: disabling this option prevents the voice messages from the dictation feature from being used for model training. It’s disabled by default
• Include your video recordings: this refers to the feature that allows you to include a video stream from your camera during a voice chat in the ChatGPT apps for iOS and Android. This video stream may also be used for model training. You can also disable this option through the web application. It’s disabled by default

By turning off these settings, you prevent the use of new data for model training. However, it’s important to realize: if your prompts or content were already used for training before you disabled the option, it’s impossible to remove them from the trained model.

In this same section, you can delete or archive all chats, and also request to Export Data from your account. This allows you to check what information OpenAI stores about you. A data archive will be sent to your email. Please note that preparing an export may take some time.

The Delete account option is also available here. When your account is deleted, only your personal data is erased; information already used for model training remains.

Beyond the in-app settings, you can manage your data through the OpenAI Privacy Portal. On the portal, you can:

• Request and download all your data stored by OpenAI
• Completely delete your custom GPTs, as well as your ChatGPT account and the personal data associated with it
• Ask OpenAI not to train the AI on your data. If OpenAI approves your request, the AI will stop training on the data you provided before you disabled the Improve the model for everyone option in the settings
• Sometimes ChatGPT may also train on personal data from public sources — you can submit a request to stop this as well
• Request the deletion of personal data from specific conversations or prompts

Users from the European Economic Area, the UK, and Switzerland have additional rights under the GDPR. The law is in effect in European countries and regulates how companies collect and use personal data. These rights are not directly displayed on the OpenAI Privacy Portal, but they can be exercised by submitting a request through the portal, or by writing to dsar@openai.com.

How to clear your data from ChatGPT’s memory

Another critical element of privacy protection is ChatGPT’s memory. Unlike chat history, memory allows the model to recall specific details about you, such as your name, interests, preferences, and communication style. This data persists across sessions and is used to personalize the AI’s responses.

To review exactly what the AI remembers within the app, click your account name in the lower-left corner of the screen. Choose Settings, then navigate to Personalization, and select Manage memories.

This section displays all stored information. If you wish for ChatGPT to forget a specific detail, click the trash can icon next to that memory. Important: for a memory to be completely erased, you need to also delete the specific chat the information was saved from. If you delete only the chat but not the memory, the data remains stored.

In Personalization, you can also configure what data ChatGPT will store about you in future conversations. To do this, you should familiarize yourself with the  two types of memory available in the AI:

• Saved memories are fixed recollections about you, such as your name, interests, or communication style, which remain in the system until you manually delete them. These are created when you explicitly ask the chat to remember something
• Chat history is the model’s ability to consider specific details from past conversations to produce more personalized responses. In this case, ChatGPT doesn’t store every detail; instead, it selects only fragments that it deems useful. These types of memories can change and adapt over time

You can disable one or both of these memory types in the ChatGPT settings. To deactivate saved memories, turn off the toggle next to Reference saved memories. To do the same for chat history, turn off the toggle next to Reference chat history.

Disabling these features doesn’t delete previously saved information. The data remains within the system, but the model ceases to reference it in new responses. To completely delete saved memories, go to the Manage memories section as described above.

The Personalization menu in the web-based version of ChatGPT is slightly different, with an additional option: Record mode. This allows the AI to reference transcripts of your past recordings when generating responses. It is possible to disable this feature within the web interface.

In addition, the web version displays a memory usage indicator, such as 87% full, which shows how much space is occupied by memories.

For sensitive conversations, you can utilize special Temporary Chats, which the AI won’t remember.

How to use Temporary Chats in ChatGPT

Temporary Chats in ChatGPT are designed to resemble incognito mode in a web browser. If you want to discuss something particularly intimate or confidential with the AI, this mode helps reduce the risks. The chats are not saved in the history, they don’t become part of the memory, and they’re not used to train the models. This last point holds true for all Temporary Chats regardless of the settings selected in the Data controls section, which was discussed above.

Once a session ends, its contents disappear and cannot be recovered. This means Temporary Chats won’t appear in your history, and ChatGPT won’t remember their content. However, OpenAI warns that for security purposes, a copy of the Temporary Chat may be stored on the company’s servers for up to 30 days.

In June 2025, a court ordered OpenAI to preserve all user chats with ChatGPT indefinitely. The decision has already taken effect, and even though the company plans to appeal it, at the time of this publication, OpenAI is compelled to store Temporary Chat data permanently in a special secure repository that “can only be accessed under strict legal protocols”. This largely nullifies the entire concept of “Temporary Chats”, and confirms the old adage, “There’s nothing more permanent than the temporary”.

It’s important to note that when creating a Temporary Chat, you’re starting a conversation with the AI from a blank slate: the chatbot won’t remember any information from its previous chats with you.

To initiate a Temporary Chat in the web-based version of ChatGPT, open a new chat and click Turn on temporary chat button in the upper right corner of the page.

To activate a Temporary Chat in the ChatGPT applications for macOS and Windows, click the AI model selection, and a Temporary Chat toggle will appear at the bottom of the window that opens.

After a Temporary Chat is activated, a special screen will open, which will look slightly different in the desktop and web versions. If you see this screen, it means things are working correctly.

Integrating ChatGPT with your device applications

The ChatGPT application includes a feature named Work with Apps. This allows you to interact with the AI beyond the ChatGPT interface itself, extending its functionality into other apps on your device. Specifically, the model can connect to text editors and various development environments.

When you utilize this feature, you can receive AI suggestions and make edits directly within those apps, eliminating the need to copy text to a separate chat window. The core concept is to embed the AI into your existing, familiar workflows.

However, along with the convenience, this feature introduces privacy risks. By connecting to applications, ChatGPT gains access to the content of the files you’re working on. These files may include personal documents, work projects or reports, notes containing confidential information, and other similar content. A portion of this data may be sent to OpenAI’s servers for analysis and response generation.

Therefore, the more applications you grant access to, the higher the probability that sensitive information will be exposed to OpenAI.

At the time of this post, the ChatGPT application for macOS can connect to the following applications:

• Text-editing and note-taking apps: Apple Notes, Notion, TextEdit, Quip
• Development environments: Xcode, Script Editor, VS Code (Code, Code Insiders, VSCodium, Cursor, Windsurf)
• JetBrains IDEs: Android Studio, IntelliJ IDEA, PyCharm, WebStorm, PHPStorm, CLion, Rider, RubyMine, AppCode, GoLand, DataGrip
• Command-line interfaces: Terminal, iTerm, Warp, Prompt

No comparable list has been published for the Windows version of the app yet.

To check if this feature is currently enabled on your device, click your account name in the lower-left corner of the screen. Select Settings and scroll down to Work with Apps. If the toggle switch next to Enable Work with Apps is on, the feature is turned on.

It’s important to emphasize that enabling the feature doesn’t immediately give the ChatGPT app access to the applications on your device. For ChatGPT to analyze and make changes to content in other apps, the user must explicitly grant a separate permission to each individual app.

If you’re unsure whether you’ve granted ChatGPT any access permissions, you can verify this within the same section. To do this, select Manage Apps. The window that opens will display every app on your device that ChatGPT can potentially interact with. If each app shows Requires permissions underneath it, and Enable Permission on the right, it signifies that ChatGPT currently has no access to any apps.

On macOS, should you choose to grant ChatGPT access to an application, you must also enable the AI app to control your computer via the accessibility features in the system settings. This permission grants ChatGPT extensive extra capabilities: monitoring your activities, managing other applications, simulating keystrokes, and interacting with the user interface. For this very reason, these permissions are granted only manually and require the user’s explicit confirmation.

If you’re concerned about the uncontrolled sharing of your data with ChatGPT, we recommend you disable the Enable Work with Apps toggle switch and forgo using this feature.

However, if you want ChatGPT to be able to work with applications on your device, you should pay attention to the following three features, and configure them according to your personal balance of privacy and convenience:

• Automatically pair with apps from chat bar allows ChatGPT to automatically connect to supported applications directly from the chat UI without requiring manual selection each time. This speeds up your workflow, but increases the risk that the model will gain access to an application that the user didn’t intend to connect it to
• Generate suggested edits allows ChatGPT to propose changes to text or code within the connected application, but you’ll need to apply those changes manually. This is the safer option because the user retains control over changes being made
• Automatically apply suggested edits allows the model to immediately implement changes to files. While this maximizes process automation, it carries additional risks, as modifications could be applied without confirmation — potentially affecting important documents or work projects

How to connect ChatGPT to third-party online services

ChatGPT can also be connected to third-party online services for greater customization: this allows the AI to offer more precise answers and execute tasks better by considering, for example, your email correspondence in Gmail or schedule in Google Calendar.

Unlike Work with Apps, which enables ChatGPT to interact with locally installed applications, this feature involves external online platforms like GitHub, Gmail, Google Calendar, Teams, and many others.

The exact list of available services depends on your plan. The most extensive selection is available in the Business, Enterprise, and Edu tiers; a slightly more limited set is found in Pro; and the roster of services is significantly more modest in Plus. Free users have no access to this feature. Some regional restrictions also apply. You can view the full list for all plans by following the link.

When connecting to third-party services, it’s crucial to understand exactly what data OpenAI will process, how, and for what purposes. If you haven’t disabled training on your data, information received from connected services may also be used for model training. Furthermore, with the memory option enabled, ChatGPT is capable of remembering details obtained from third-party services and utilizing them in future chats.

To view the list of online services available for connection, click your account name in the bottom left corner of the screen. Then, select Settings and, in the Account section, navigate to Connectors.

Under Connectors, you’ll see services that are already connected, as well as those that are available for activation. To disconnect ChatGPT from a service, select the service and click Disconnect.

To mitigate privacy risks, we recommend connecting only the absolutely necessary services, and configuring the memory and data controls within ChatGPT in advance.

How to set up secure login to ChatGPT

If you are a frequent ChatGPT user, the service likely stores significantly more information about you than even social media. Therefore, if your account is compromised, attackers could gain access to data they can use for doxing, blackmail, fraud, theft of funds, and other types of attacks.

To mitigate these risks, it’s essential to set a complex password, and enable two-factor authentication for logging in to ChatGPT. What we have in mind when we say “complex” is a password that meets all of the following criteria:

• A minimum length of 16 characters
• A combination of uppercase and lowercase letters, numbers, and special characters
• Ideally, no dictionary words, no simple sequences like “12345” or “qwerty”, and no repeating characters
• Uniqueness: a different password for each website or online service

If your current ChatGPT password doesn’t satisfy these criteria, we strongly recommend you change it. While there’s no option to change the password as such in the ChatGPT settings, you can use the password reset procedure. To do this, log out of your account, select Forgot password? on the login screen, and follow the instructions to set up a new password.

You may be tempted to use the AI model itself to generate a password. However, we don’t recommend this: our research suggests that chatbots are often not very effective at this task, and frequently generate highly insecure passwords. Furthermore, even if you explicitly ask the neural network to create a random password, it won’t be truly random, and will therefore be more vulnerable.

For additional account protection, we also recommend enabling two-factor authentication: navigate to Settings, select Security, and turn on the Multi-factor authentication toggle switch. After this, scan the QR code in an authenticator application, or manually enter the secret key that appears on the screen, and verify the action with the one-time code.

In the Security section of the web version, you can also log out of all active sessions on all devices, including your current one. Unfortunately, you cannot view the login history. We recommend using this feature if you suspect that someone may have gained unauthorized access to your account.

Final tips to secure your data

When using AI chatbots, it’s important to remember that these applications create new privacy challenges. To protect our data, we now must account for things that were not a concern when setting up accounts in traditional apps and web services, or even in social media and messaging apps. We hope that this comprehensive guide to privacy and security settings in ChatGPT will help you with this tricky task.

Also, please remember to safeguard your ChatGPT account against hijacking. The best way to do this is by using an app that generates and securely stores strong passwords, while also managing two-factor authentication codes.

Kaspersky Password Manager helps you create unique, complex passwords, autofill them when logging in, and generate one-time codes for two-factor authentication. Passwords, one-time codes, and other data encrypted in Kaspersky Password Manager can be synchronized across all your devices. This will help provide robust protection for your account in ChatGPT and other online services.

If you’re looking for more information on the secure use of artificial intelligence, here are some more useful posts:

• The pros and cons of AI-powered browsers
• Three approaches to workplace “shadow AI” from the cybersecurity standpoint
• New types of attacks on AI-powered assistants and chatbots
• Should you disable Microsoft Recall in 2025?
• Trojans masquerading as DeepSeek and Grok clients

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

I count myself fortunate that I have never been on the receiving end of a ransomware attack. My experiences have been from research and response, never as a victim. It’s a tough scenario: One day you are working or minding your own business when suddenly, threatening notes appear on desktops and systems simply stop working. So much of our survival as humans is tied to our livelihoods, so the amount of stress incurred can be severe. I get it, truly.  

Consequently, I am endlessly academically fascinated at stress responses and how humans… well… human during moments of adversity. A ransomware attack most certainly qualifies as adverse, and my sympathies are with you if you’ve ever had to endure one. But there’s a science to both the personal response, and the business response and its impacts writ large. 

Over the past year, excellent research has been published on these facets of response to help answer some of these questions, and naturally I dove right into the research. One of the things that stuck out to me was that the impact of the attacks and its effect on small businesses as a victim segment. A notable quote from a small business in the U.K. government’s “The experiences and impacts of ransomware attacks on individuals and organisations” states: 

“I’ve started to rebuild, using personal funds and living off personal funds for the last 2 or 3 years… I’ve got 0 savings left… It’s had a total impact on me… I’ve gone from probably nearly a £250,000 business down to about a £20,000 business.”

This quote isn’t unique in its impacts. Anecdotally, I can tell you small businesses are a large swath of victims for ransomware operators. It makes sense — Small victims likely pay out less but likely have lower security standards and security knowledge to defend themselves with. They also do not have the cash reserves, legal teams, or dedicated IT security staff that a mid-sized or larger business have. Simply put, they are disproportionately vulnerable.  

So, what about the impacts to health and wellbeing? What, if anything, do we do? And why the hell should any business even care? To paraphrase the Royal United Services Institute (RUSI) report ‘Your Data is Stolen and Encrypted’: The Ransomware Victim Experience, ransomware victims experience trauma, exhaustion, and emotional harm that rival — and often outlast — the financial or operational damage. You can survive the battle of immediate operational harm of a cyber attack and recover your day-to-day business operations only to lose the war as your employees cope and process the trauma of the event and thus impact your business’ ability to compete and survive.  

A cyber attack is both a technical and psychological crisis. Business leadership would be wise to understand this. Lead with empathy and remember that your employees look to you for leadership, especially in these incidents. People follow calm, not commands. Have an incident response plan for how you respond to the technical crises, but also for how to take care of your people. You might find yourself that much stronger at the end, both with a company that handles adversity and employees that are cared for. 

The one big thing 

Cisco Talos discovered a new malware campaign linked to the North Korean threat group Famous Chollima, which targets job seekers with trojanized applications to steal credentials and cryptocurrency. The campaign features two primary tools, BeaverTail and OtterCookie, whose functionalities are merging and now include new modules for keylogging, screenshot capture, and clipboard monitoring. The attackers deliver these threats through malicious NPM packages and even a fake VS Code extension, making detection and prevention more challenging. 

Why do I care? 

This campaign highlights how attackers use social engineering and software supply chain attacks to compromise individuals and organizations, not just targeting companies directly. If you or your organization use development tools, npm packages, or receive unsolicited job offers, you could be at risk of credential or cryptocurrency theft. 

So now what? 

Be vigilant when installing NPM packages, browser extensions, or software from unofficial sources, and verify the legitimacy of job offer communications. Use layered security solutions, such as endpoint protection, multi-factor authentication, and network monitoring tools like those recommended by Cisco, to detect and block these threats. 

Top security headlines of the week 

Harvard is first confirmed victim of Oracle EBS zero-day hack 
Harvard was listed on the data leak website dedicated to victims of the Cl0p ransomware on October 12. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. (SecurityWeek) 

Two new Windows zero-days exploited in the wild 
Microsoft released fixes for 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild. One affects every version ever shipped. (The Hacker News) 

Officials crack down on Southeast Asia cybercrime networks, seize $15B 
The cryptocurrency seizure and sanctions targeting the Prince Group, associates and affiliated businesses mark the most extensive action taken against cybercrime operations in the region to date. (CyberScoop) 

Extortion group leaks millions of records from Salesforce hacks 
The leak occurred days after the group, an offshoot of the notorious Lapsus$, Scattered Spider, and ShinyHunters hackers, claimed the theft of data from 39 Salesforce customers, threatening to leak it unless the CRM provider pays a ransom. (SecurityWeek)

Can’t get enough Talos? 

Humans of Talos: Laura Faria and empathy on the front lines 
What does it take to lead through chaos and keep organizations safe in the digital age? Amy sits down with Laura Faria, Incident Commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity. 

Beers with Talos: Two Marshalls, one podcast 
Talos’ Vice President Christopher Marshall (the “real Marshall,” much to Joe’s displeasure) joins Hazel, Bill, and Joe for a very real conversation about leading people when the world won’t stop moving. 

Upcoming events where you can find Talos 

• DEEP Conference (Oct. 22 – 23) Petrčane, Croatia 
• NTNU MALWAREFORUM (Oct. 28 – 29) Oslo, Norway 
• Bsides Osijek (Nov. 5) Osijek, Croatia 
• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
MD5: 1f7e01a3355b52cbc92c908a61abf643  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe 
Detection Name: W32.Injector:Gen.21ie.1201  

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename:85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg

Cisco Talos Blog – ​Read More