Digital assets after death: Managing risks to your loved one’s digital estate
Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay.
WeLiveSecurity – Read More
CrystalX RAT: a Trojan for pranks, remote access, and cryptocurrency theft | Kaspersky official blog
While this post comes out on April 1, the threat described has little to do with April Fools’ Day — except for the fact that the CrystalX malicious RAT, discovered by Kaspersky experts, can do more than just gain remote access to a victim’s device, steal cryptocurrency and credentials from browsers and apps, or conduct actual surveillance. It can also flip the victim’s screen, swap mouse buttons, write nonsense directly onto the screen, and even block keyboard input. Furthermore, it’s advertised as malware-as-a-service (MaaS) — meaning it’s subscription-based — on Telegram and through instructional videos on YouTube.
In this post, we explain some basics as to how this new malware was built, what makes it difficult to detect, and what to do so you don’t end up among its victims.
A Swiss army knife for attackers
In March 2026, our experts discovered previously unknown malware circulating on private Telegram channels. Borrowing from classic marketing tactics, the Trojan was offered for purchase via three different subscription tiers. Its capabilities cover a fairly broad spectrum: judge for yourself what it can do to a victim’s computer:
- Change desktop wallpaper to an image from a specified link
- Rotate the screen by 90, 180, or 270 degrees
- Simply shut down the computer
- Swap mouse button assignments
- Chat with the victim
- Block both keyboard input and monitor output
- Display any notification text chosen by the attacker
- Disable specific components, such as Task Manager, the command prompt, and the Windows taskbar
Yet that’s only the harmless side of the malware — the prank functionality that harks back to the joke viruses of past decades. The real damage from CrystalX comes from its stealing login credentials for Steam, Discord, Telegram, and all Chromium-based browsers. It can also monitor and change the contents of the clipboard; typically, attackers watch for a crypto wallet address to be copied, and then swap it with their own. This is a popular scheme for stealing crypto: while intending to make a legitimate transfer, the victim copies the recipient’s wallet address, but ends up pasting the scammers’ address instead.
But there’s more: a keylogger feature and full device control with remote access to the screen, camera, and microphone — including video and sound recording capabilities.
The malware was first mentioned in January 2026 in a private Telegram chat for RAT developers. At that time, this Windows Trojan was called WebCrystal RAT and, based on technical details, was revealed to be a clone of another RAT known as WebRat. A short time later, the author of WebCrystal rebranded it as CrystalX RAT, and began touting the Trojan on a newly created Telegram channel.
The initial infection vector for this stealer is currently unknown, but according to telemetry the victims at the time of writing are predominantly located in Russia. And since we’re continuing to find new versions of the malware, we deem it a rapidly growing and evolving threat.
Anyone can become a hacker
Developing any complex cyberattack used to come with a steep learning curve. You needed to understand cryptography and network protocols, and know how to write code that could fool antivirus solutions. It was a high bar to clear, but the malware-as-a-service model has been changing the game.
These days, an attacker only needs basic computer literacy to rent a ready-made platform with a user-friendly user interface. The threat is becoming widespread specifically because malware creators aren’t carrying out the attacks themselves anymore — they’re selling shovels during a gold rush. They focus on supporting their customers, improving the user interface, and pouring money into aggressive marketing.
CrystalX malware control panel
Hackers are even setting up YouTube channels where they use the pretext of “for educational and entertainment purposes” to explain how to manage the Trojan from the control panel. Instructional videos that were once buried in the dark web have gone mainstream, putting hacking techniques in front of a broad, general audience.
How CrystalX bypasses security
No matter how technically advanced a hacking app’s code is, it will die as a project without a constant stream of new clients. This makes marketing efforts vital to its survival — even if they significantly increase the risk of the developer ending up behind bars. However, the creators of CrystalX have figured out how to protect their creation.
The control panel allows clients to build their own unique versions of the Trojan with extensive configuration options. For example, they can enable location filtering to target users in specific countries, choose an icon for the executable file, and toggle anti-analysis features. The finished Trojan is compressed using zlib and then encrypted with a ChaCha20 stream cipher using a 256-bit key and a 96-bit nonce. This ensures that every customer receives a unique version of the malware.
CrystalX is also capable of detecting virtual machines and checking if it’s running in a test or debugging environment, which complicates discovery. You can read more about the structure and functionality of this new Trojan in our Securelist story.
The good news for Kaspersky users is that our security solutions both detect and neutralize CrystalX.
How to avoid becoming a victim
Here are a few simple tips to help you avoid infection by CrystalX and other similar malware:
- Pay attention if your computer starts acting up. Spontaneous screen rotation, the keyboard or mouse behaving erratically or locking up, and random notifications or chat windows can all be signs of a CrystalX infection. If anything like that happens, kill the internet connection immediately by physically unplugging the Ethernet cable or toggling off the Wi-Fi. Then, use a flash drive to install our security suite to root out the virus.
- Make sure you download software only from official websites and trusted marketplaces. Avoid pirated software, license key generators, and free versions of paid applications: these builds are the most common hiding spots for Trojans.
- Don’t fall for “tutorial” videos that push questionable tools for “administration”, “optimization”, or “security testing”. If the blogger says you should disable your antivirus to complete installation, that’s a major red flag and a reason to stop watching.
- Be careful with files you receive through messaging apps. Password-protected archives containing “important documents” or “cool private builds” are typical containers for malicious software.
- Keep your accounts secure. Enable two-factor authentication and passkeys for your most critical services: email, messaging apps, gaming platforms, and crypto exchanges. Kaspersky Password Manager is an excellent tool for this.
- Regularly update your operating system and apps. Fresh patches plug security holes that let malware slip onto your system silently and without any interaction from your side.
- Use a reliable security suite, such as Kaspersky Premium. It detects and blocks Trojan installation or download attempts.
Read more about remote access Trojans, miners, crypto-stealers, and other digital nasties:
Kaspersky official blog – Read More
Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More
March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. ANY.RUN analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient botnet infrastructure affecting organizations across industries.
From Microsoft 365 token abuse and registry-hidden RAT delivery to card theft, macOS backdoor activity, and multi-vector DDoS operations, the threat landscape in March showed how much harder early detection has become for security teams.
Key Business Risks That Stood Out in March Attacks
- Trusted services and normal-looking workflows were repeatedly used to hide malicious activity, increasing the risk of delayed detection across enterprise email, cloud, payment, and endpoint environments.
- Attacks observed in March affected industries including government, finance, healthcare, technology, education, manufacturing, and energy, with risks extending beyond initial access into token abuse, remote access, card theft, and broader malware deployment.
- Stealthy, multi-stage delivery methods made early signals weaker and investigations slower, raising the likelihood of escalation before security teams could confirm malicious behavior.
- For organizations, the business impact was not limited to infection alone, but included fraud, downtime, deeper compromise, and higher operational costs tied to delayed response.
1. EvilTokens: OAuth Device Code Phishing Enables M365 Account Takeover Without Credential Theft
ANY.RUN analysts observed a sharp rise in EvilTokens, a phishing campaign abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week. Instead of stealing credentials on a fake login page, attackers trick victims into entering a verification code on microsoft[.]com/devicelogin, which causes Microsoft to issue OAuth tokens directly to the attacker.
This makes EvilTokens especially dangerous for organizations relying on traditional phishing detection. The user signs in through a legitimate Microsoft page, completes MFA, and never submits credentials to the phishing site. As a result, the compromise shifts from password theft to token abuse, giving attackers access to Microsoft 365 resources while blending into normal authentication activity.
Because the workflow runs over encrypted HTTPS and uses legitimate Microsoft infrastructure, key attack signals are often hidden from security teams. That delays validation, extends investigations, and increases the chance of escalation before analysts can confirm what happened.
See full attack flow exposed in ANY.RUN Sandbox
Inside ANY.RUN Sandbox, automatic SSL decryption revealed the hidden JavaScript and backend communication used to orchestrate the phishing flow. In this case, analysts uncovered high-confidence network indicators such as:
- /api/device/start
- /api/device/status/*
- X-Antibot-Token
When seen in HTTP requests to non-legitimate hosts, these artifacts become strong hunting signals for identifying related phishing infrastructure and improving detection coverage.
To investigate similar activity and validate detection logic, use this TI Lookup query:
TI Lookup helps teams quickly assess the broader attack landscape around EvilTokens and related OAuth phishing activity. Recent submissions show notable targeting across Technology, Education, Manufacturing, and Government & Administration, especially in the United States and India, while other regions are also affected.
This gives SOC teams access to related sandbox analyses, IOCs, and behavioral patterns they can use to strengthen detections and hunting. For CISOs, that means earlier visibility into relevant campaigns, better prioritization of response efforts, and a stronger ability to reduce the business impact of Microsoft 365 account takeover.
IOCs related to this attack:
- singer-bodners-bau-at-s-account[.]workers[.]dev
- dibafef289[.]workers[.]dev
- ab-monvoisinproduction-com-s-account[.]workers[.]dev
- subzero908[.]workers[.]dev
- sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev
- tyler2miler-proton-me-s-account[.]workers[.]dev
2. macOS ClickFix Campaign Targets Claude Code Users with AMOS Stealer and Backdoor Access
ANY.RUN analysts identified a macOS-specific ClickFix campaign targeting users of AI tools such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. In the observed case, attackers used a redirect from Google Ads to a fake Claude Code documentation page, where a ClickFix flow pushed the victim to run a terminal command that ultimately delivered AMOS Stealer.
Once executed, the infection chain moved beyond credential theft. The malware collected browser data, saved credentials, Keychain contents, and sensitive files, then deployed a backdoor that provided continued access to the infected Mac. This makes the attack more serious than a one-time stealer infection, especially in enterprise environments where macOS systems often hold developer access, internal documentation, and business-critical credentials.
How the attack unfolds:
- Google Ads redirect sends the victim to a fake Claude Code documentation page
- ClickFix lures the user into running a terminal command
- The command downloads and executes an encoded script
- AMOS Stealer collects browser data, saved credentials, Keychain contents, and sensitive files
- A backdoor is deployed for continued access
- The updated ~/.mainhelper module enables an interactive reverse shell over WebSocket with PTY support
A key finding in this case was the evolution of the backdoor module ~/.mainhelper. Previously described as a more limited implant, the updated variant now supports a fully interactive reverse shell, giving attackers persistent, hands-on access to the infected system in real time.
For defenders, that changes the risk significantly. What starts as a phishing-style ClickFix infection can quickly turn into long-term remote access, data theft, and broader compromise. Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components also break visibility into weaker signals, which can slow validation and delay escalation.
See the full macOS ClickFix campaign execution chain
ANY.RUN Sandbox helps teams investigate macOS, Windows, Linux, and Android threats with visibility into execution flow, attacker behavior, persistence mechanisms, and dropped artifacts. In cases like this, this cross-platform threat analysis helps analysts confirm malicious activity faster, attribute the intrusion with greater confidence, and strengthen detection logic before the compromise expands further.
3. RUTSSTAGER: Registry-Stored DLL Leads to OrcusRAT Deployment
ANY.RUN analysts detected RUTSSTAGER, a stealthy malware stager that hides a DLL inside the Windows registry in hexadecimal form, making the payload harder to spot during early triage. In the observed chain, the stager led to the deployment of OrcusRAT, followed by an additional binary that helped maintain persistence, ran PowerShell-based system checks, and relaunched the RAT when needed.
What makes this threat notable is the way it avoids a straightforward on-disk delivery path. By storing the DLL in the registry instead of dropping it as a conventional file, the malware reduces its visibility and gives defenders fewer obvious artifacts to catch at first glance. The follow-on activity then helps stabilize the infection and keep remote access available on the compromised system.
Review the full execution chain
Inside ANY.RUN Sandbox, behavioral analysis exposed how the infection unfolded across stages, while file system and process monitoring helped reveal the relationship between the stager, the deployed RAT, and the persistence component. Process synchronization events were especially useful here, showing that the payload components were not acting independently but as part of a coordinated, multi-stage execution chain.
To explore related activity, review relevant sandbox analyses and assess the broader threat landscape, use the following TI Lookup query: registryName:”^rutsdll32$”
Gathered IOCs:
- 57ce6187be65c1c692a309c08457290ae74a0047304de6805dbb4feb89c0d7e5
- 6a581c3b6fe7847bb327f5d76e05653a1504e51023454c41835e5dc48bc13ba4
- 7d157366d74312965912a35cbba4187532cfeb3b803119a3a04c9ba0ba7d4ab0
- 07f56ac8b5bd7cdb4c33ea5e9cd42bc7f9d3cd5504aabbb476ef010a142d7e29
- a6f72590792b3f26271736e5a7ba80102292546bb118cf84ff29df99341abfbe
4. Fake PDF Attachments Hide HTML Phishing Pages That Steal Credentials
ANY.RUN analysts identified phishing emails carrying HTM/HTML attachments disguised as PDF files. In the observed case, a file named pdf.htm opened a fake login page and sent submitted credentials in JSON format through an HTTP POST request to the Telegram Bot API.
The attack relies on a simple but effective disguise: the attachment looks like a document but actually launches a phishing page designed to collect login data. Some samples also include obfuscated scripts, which makes the credential theft logic less obvious during manual inspection and slows down triage.
Once a victim enters their credentials, attackers can use them to access business email, internal services, and other corporate systems tied to the compromised account. For security teams, this turns what may look like a routine attachment into a fast-moving account takeover risk.
Inside ANY.RUN Sandbox, the phishing behavior became visible in under 60 seconds, exposing the outbound communication, loaded scripts, and file contents involved in the theft flow. This helps teams quickly confirm whether an attachment is just suspicious or part of an active credential-harvesting attack, reducing review time and helping analysts act before the stolen access is used.
5. SVG Smuggling Campaign Targets Colombian Organizations
ANY.RUN analysts observed a phishing campaign targeting organizations in Colombia, particularly in government, finance, oil and gas, and healthcare. The attackers use Spanish-language phishing emails with an attached SVG file that acts as more than an image: it contains embedded JavaScript that rebuilds the next attack stage locally through SVG smuggling.
Instead of downloading a payload from an external source right away, the SVG uses a blob URL to generate an intermediate HTML lure inside the browser. That lure imitates a document-related workflow and creates a password-protected ZIP archive for the victim to open, pushing the attack forward while reducing obvious early network signals.
This staged delivery makes the campaign harder to catch during initial triage. SVG smuggling, blob-generated content, and the later use of legitimate Windows components break the compromise into smaller artifacts that may look weak or unrelated on their own, slowing detection and investigation.
Inside ANY.RUN Sandbox, analysts were able to reconstruct the full flow:
SVG smuggling → Blob-based HTML lure → Password-protected ZIP → Notificacion Fiscal.js → radicado.hta → J0Ogv7Hf.ps1 → C2 communication
That visibility helps security teams connect scattered artifacts faster, uncover hidden delivery stages, and confirm malicious activity before the intrusion progresses further.
You can use the following Vjw0rm C2 response commands as detection signals to detect active compromise in your environment:
- Cl — execution termination
- AW — active window data collection and exfiltration
- Ex — PowerShell code execution
- SF / RF — base64 payload delivery, storage, and execution
- DL — file download from URL with optional execution
- DLF — file delivery via C2 with storage and execution
- Un — removal of persistence mechanisms and related artifacts
6. Active Magecart Campaign Hijacks eStores and Steals Card Data
ANY.RUN analysts uncovered an active Magecart campaign targeting e-commerce websites, with a notable concentration in Spain. In the observed cases, attackers hijacked checkout flows, replaced legitimate payment steps with fake interfaces, and stole card data through WebSocket-based exfiltration.
What makes this campaign especially dangerous is its durability. The operation remained active for more than 24 months and relied on a large infrastructure of 100+ domains, using staged payload delivery, fallback domains, and payment-page mimicry to stay operational and avoid disruption. In Spain-focused cases, the attackers notably abused Redsys-themed payment context to make the fraudulent flow appear legitimate.
The campaign also stood out for how it blended card theft into trusted payment experiences. Instead of relying on a simple fake form, the malware dynamically adapted the checkout page, injected malicious elements, and transmitted stolen payment data outside normal HTTP flows, making detection harder for defenders and increasing fraud risk for banks and payment ecosystems.
See the full payment-skimming chain
Inside ANY.RUN Sandbox, analysts exposed the multi-stage delivery logic, malicious script injection, fake payment overlays, and WebSocket-based card data exfiltration. This helps security teams understand how the skimmer operates, identify related infrastructure faster, and strengthen detections against long-running payment theft campaigns.
7. Kamasers: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide
ANY.RUN published a detailed technical analysis of Kamasers, a multi-vector DDoS botnet designed to carry out both application-layer and transport-layer attacks while also supporting follow-on payload delivery. The research shows how the malware operates, how it receives commands, and why it creates risk beyond disruption alone.
Inside the sandbox, analysts observed the botnet retrieving command-and-control data, communicating with active infrastructure, executing DDoS-related commands, and in some cases downloading additional files for execution. This helps security teams confirm malicious behavior faster and understand whether an infected host is being used only for flooding activity or as part of a broader compromise.
Kamasers supports multiple attack methods, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. In addition, it can act as a loader, which increases the risk of further malware delivery, data theft, or ransomware.
Another notable finding was the botnet’s resilient Dead Drop Resolver design. Instead of depending on a single static C2 location, Kamasers uses legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and Etherscan to retrieve active command-and-control addresses, making disruption and early detection more difficult.
For organizations, that means a single infected system can become both a source of external attacks and a foothold for deeper intrusion, increasing operational, financial, and reputational risk.
To review related sandbox analyses and broader activity, use the following TI Lookup query:
8. MicroStealer: A Fast-Spreading Infostealer with Limited Detection
ANY.RUN analysts found MicroStealer, a fast-spreading infostealer that gained traction despite limited public detection. In observed activity, the malware appeared in 40+ sandbox sessions in less than a month, using a multi-stage chain to steal credentials, session data, screenshots, and wallet files.
Inside the sandbox, analysts were able to quickly confirm how the threat unfolds and what data it targets. This kind of visibility helps security teams move from an unclear file to a confident verdict faster, reducing review time and lowering the chance of missed credential theft.
How the attack unfolds:
- NSIS installer delivers the initial payload
- Electron loader requests elevated privileges and launches the next stage
- Java module executes the main stealer logic
- Browser credentials, session data, screenshots, and wallet files are collected
- Stolen data is sent to attacker-controlled infrastructure
What makes MicroStealer notable is not only what it steals, but how it delays confident detection. The layered NSIS → Electron → Java execution chain, combined with obfuscation and anti-analysis checks, makes the malware harder to understand during early triage.
To review related sandbox analyses and broader activity, use the following; TI Lookup query:
For organizations, this risk goes beyond a single infected endpoint. Stolen browser credentials and active sessions can give attackers access to SaaS apps, internal systems, and cloud services, increasing the chance of account compromise and broader intrusion.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect threats earlier, investigate incidents faster, and build stronger response workflows. With Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, the company gives SOC and MSSP teams the visibility and context they need to move from alert to confident decision more quickly.
Today, more than 15,000 organizations and 600,000 security professionals worldwide rely on ANY.RUN. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection.
The post Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Why ransomware is now after your data — and how to protect your home storage | Kaspersky official blog
Today — March 31 — is World Backup Day. And every year, most people tell themselves, “I’ll get around to that tomorrow”. But even if you’re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system — you’re still at risk. Why? Because ransomware has learned how to specifically target everyday users’ backups.
Why home users are in the crosshairs
In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company’s production process or stealing all their information and customer databases usually meant a massive payout. We’ve seen plenty of those cases over the last few years. However, the “small-fry” market has become just as tempting for cybercriminals — and here’s why.
For starters, attacks are automated. Modern ransomware doesn’t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can effortlessly hit thousands of home devices.
Second, because of this broad reach, the ransom demands have become more “affordable”. Regular users aren’t asked for millions, but “only” a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police — especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.
And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with “admin” as the password. Many people leave their network attached storage (NAS) wide open to the internet with zero protection. It’s low-hanging fruit.
How personal backups get attacked
A home NAS drive — often called a personal cloud — is essentially a mini-computer running a specialized Linux or FreeBSD-based operating system. It houses one or more large-capacity hard drives, often combined into an array. The storage connects to a home router, making files accessible from any device on the home network — or even remotely over the internet if you’ve configured it that way. Many people buy a NAS specifically to centralize their family’s backups and simplify access for family members, thinking it’s the ultimate safe haven for their digital archives.
The irony is that these very storage hubs have become the primary target for ransomware gangs. Hackers can break in relatively easily either by exploiting known vulnerabilities or simply brute-forcing a weak password. Over the last five years, there were several major ransomware attacks specifically targeting home NAS units made by QNAP, Synology, and ASUSTOR.
Targeting NAS isn’t the only way hackers can get to your files. The second method relies on social engineering: basically tricking victims into launching malware themselves. Take the massive AI hype of 2025, for example. Scammers would set up malicious websites distributing fake installers for ChatGPT, Invideo AI, and other trending tools. They would lure people in with promises of free premium subscriptions, but in reality users ended up downloading and running ransomware.
What ransomware looks for once it’s inside
Once the malware infiltrates your system, it starts surveying its environment and neutralizing anything that could help you recover your data without paying up.
- It wipes Windows shadow copies. The Volume Shadow Copy Service is a built-in Windows feature for quick file recovery. Deleting this data makes it impossible to simply roll back to a previous version of a file.
- It scans connected drives. If you leave an external hard drive permanently plugged into your computer, the ransomware will spot and encrypt it just like any other files.
- It searches for network folders. If your home cloud is mapped as a network drive, the malware will follow that path to attack that too.
- It checks cloud sync clients. Services like Dropbox, Google Drive, or iCloud for Windows all keep local sync folders on your computer. The ransomware encrypts the files in these folders, and the cloud service then “helpfully” uploads the encrypted versions to the cloud.
The golden rule of backups
The classic 3-2-1 rule for backups goes like this:
- Three copies of your data: the original plus two backups
- Two different media types: for example, your computer and an external drive
- One copy off-site: in the cloud or elsewhere, like at a relative’s place
However, this rule predates the era of ransomware. Today we need to update it with one vital condition: another copy must be completely isolated from both the internet and your computer at the time of an attack.
The new rule is 3-2-1-1 — a bit more of a mouthful, but much safer. Following it is simple: get an external hard drive that you plug in once a week, back up your data, and then unplug it.
What you actually need to back up
- Photos and videos. Wedding photos, a baby’s first steps, family archives — these are the memories people will pay for to get back.
- Digital scans or photos of essential documents for every family member — everything from passports to medical records, including old archives.
- Two-factor authentication data. If your authenticator app only lives on your phone and you lose it, you may also lose access to all your protected accounts. Many apps let you back up your authentication data.
- If you use a password manager, make sure it’s syncing to a secure cloud or has an export function.
- Privacy-focused messaging apps don’t always store your history in the cloud. Business correspondence, important agreements, and contacts could vanish if they aren’t backed up.
What to do if your data is already encrypted
Don’t panic. Check out our Free Ransomware Decryptors page. We’ve collected a library of decryption tools that might help you get your data back without paying up.
How to secure your backups
- Don’t leave your external backup drive plugged in all the time. Connect it, copy your files, and unplug it immediately.
- Set up automated cloud backups, but make sure your cloud provider keeps a version history for at least 30 days. If your current plan doesn’t offer this, it’s time to upgrade or switch providers.
- Stick to the 3-2-1-1 rule: original files on your computer, plus an external drive that you only plug in periodically, plus cloud storage. That’s three copies, two media types, one copy offline, and one off-site.
- Cut off internet access to your network storage. If you have a home network drive, make sure that it’s inaccessible from the internet without a password — and that the password isn’t “admin”. Disable any remote access features you don’t actually use, and make sure your firmware is up to date.
- Actually, keep everything up to date. Most attacks exploit known vulnerabilities that have long been patched. Enabling auto-updates for your router, NAS, and computer only takes a few minutes of setup but effectively slams the door on hundreds of known security holes.
- Steer clear of “free” versions of paid software. Fake installers for pirated software or game cheats are some of the primary delivery channels for ransomware. By the way, Kaspersky Premium sniffs out these threats and blocks them before they even launch.
- Be sure to enable the System Watcher feature in our Windows security suites. This feature logs every operating system event to help track down threats like ransomware and either block them or roll back any damage they’ve already done.
- Back up your authenticator app. The easiest move is to migrate your authentication tokens to Kaspersky Password Manager. It keeps them securely encrypted in the cloud alongside your passwords and sensitive docs, while syncing them across all your devices. That way, if your phone gets swiped or fried, you aren’t locked out of your accounts and vital data.
- Test your backups. Every few months, try restoring a random file from your archive. You’d be surprised how often a seemingly successful backup turns out to be corrupted or glitchy. It’s better to catch those glitches now while you still have the originals to fix the problem.
Kaspersky official blog – Read More
Ransomware in 2025: Blending in is the strategy
Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.
That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.
In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.
The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.
Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution.
Top-targeted sectors
From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.
Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.
Most prolific ransomware groups
The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.
Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.
Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).
An opportunity for defenders
What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.
It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.
Defender recommendations
- Strengthen identity protections. Actors predominately targeted the person who holds the key rather than the lock itself (i.e., the target’s infrastructure). Phishing and social engineering training is highly recommended.
- Monitor the use of built-in administrative tools such as RDP, PowerShell, and PsExec for lateral movement. Look for unexpected usage patterns, and abnormal access requests.
- Basics, basics, basics! They very much still hold true. Strengthen your backup, EDR, segmentation, logging, and recovery capabilities.
- Regularly test ransomware response readiness.
Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.
Cisco Talos Blog – Read More
Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections
March was a packed month for ANY.RUN. We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the sandbox workflow.
At the same time, our detection team continued to strengthen threat coverage with new behavior signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques.
Here’s a closer look at what’s new.
Product Updates
This month’s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded sandbox coverage to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.
Automatic SSL Decryption for Stronger Phishing Detection
Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.
In March, ANY.RUN introduced automatic SSL decryption in the Interactive Sandbox across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.
Check real-world example: Detecting Salty2FA phishing campaign with SSL decryption
This significantly expands phishing visibility across every sandbox session. After implementing the technology, ANY.RUN saw a 5x increase in SSL-decrypted phishing detection and added 60,000 more confirmed malicious URLs to TI Lookup each month.
For your SOC, this means:
- Higher detection rate: Analysts can now identify phishing activity that would otherwise stay hidden inside encrypted traffic.
- Faster MTTD and MTTR: Teams confirm malicious behavior earlier and respond before phishing causes broader damage.
- Reduced Tier 1-to-Tier 2 escalation volume: Tier 1 can close more cases independently and escalate only the incidents that truly need deeper investigation.
Expanding Your SOC’s Cross-Platform Analysis with macOS
As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases.
To help solve this, ANY.RUN expanded its sandbox OS coverage with macOS virtual machine, now available in beta for Enterprise Suite users. This gives teams one environment to investigate threats across Windows, Linux, Android, and now macOS.
Bringing interactive macOS analysis into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.
This operational improvement leads to measurable outcomes:
- Faster validation of suspicious files and URLs: Teams can confirm malicious behavior in minutes through behavior-based analysis during triage.
- Shorter investigation cycles: Analysts can observe full execution behavior in one environment without manually piecing evidence together across multiple tools.
- Improved cross-platform detection coverage: Security teams can investigate platform-specific threats across macOS, Windows, Linux, and Android in a consistent workflow.
- Higher productivity during triage: Less context switching helps analysts process more alerts per shift.
- Reduced alert backlog during peak activity: Faster decisions help SOC teams keep queues under control during phishing waves and malware outbreaks.
Advancing Server-Side Threat Analysis with Windows Server
For many enterprise teams, critical infrastructure runs on Windows Server, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup.
To close that gap, ANY.RUN Sandbox now supports analysis in a Windows Server environment. This gives security teams a way to observe attack behavior in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools.
This addition helps teams strengthen infrastructure-focused triage and response:
- Better visibility into server-specific techniques: Teams can analyze behavior tied to domains, policies, and administrative utilities in a more relevant environment.
- Stronger investigation confidence for infrastructure threats: Analysts can validate whether a sample affects server-side services or critical business systems before escalating.
- More effective detection and response preparation: Security teams can collect artifacts, refine detections, and improve incident playbooks for Windows Server scenarios.
Threat Coverage Updates
In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse.
This month’s updates include:
- 91 new behavior signatures
- 1,293 new Suricata rules
These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader behavior, and suspicious use of built-in system tools.
New Behavior Signatures
In March, we added 91 new behavior signatures to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity.
These updates improve visibility into behaviors often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis.
Highlighted families and detections include:
- HolyCat
- SuperCard
- Noodlopfile
- CharlieKirk
- LockCrypt
- GibCrypto
- ZipWhisper
- PixyNetLoader
- Quantum
- Queen
- Zov
- FileScavenger
- Rodecap
- Recuva
- OCRFix
New behavior-based detections also cover:
- PhantomCore
- Delivers shell command via nslookup
Together, these additions give security teams broader behavioral coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions.
New Suricata Rules
In March, we added 1,293 new Suricata rules to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic.
Key highlights include:
- Credential theft via Telegram API (sid: 84001778): Tracks adversary attempts to exfiltrate victim’s email & password via Telegram Bot API
- MS OAuth Device Code phish / EvilTokens activity (sid: 84001845): Identifies usage of emerged attack technique that exploits legitimate OAuth 2.0 device authorization flows to gain control over victims’ Microsoft 365 accounts
- DinDoor backdoor HTTP activity (sid: 85006556): Detects Iran-linked MuddyWater (TA450) actor’s new backdoor attempts to establish C2 communication via HTTP
Threat Intelligence Reports
In March, our team published new threat reports covering emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques.
- VIDAR, VENON, and SLOPOLY: This report covers a polymorphic stealer, a Rust-based banking RAT, and a PowerShell backdoor tied to the Hive0163 ecosystem, with a focus on their behavior, artifacts, and detection opportunities.
- Steaelite, BlackReaper, and Jigsaw: This brief looks at three threats combining credential theft, remote access, persistence, and ransomware behavior, including Telegram-based control and file encryption activity.
- PhantomProxyLite, Rutsstager, Steaelite RAT, and Nopname: This report explores tunneling, registry-based staging, data theft, and ransomware, showing how these threats mix stealth techniques with clear forensic traces.
About ANY.RUN
ANY.RUN provides interactive malware analysis and threat intelligence solutions built to support modern security operations.
By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier.
Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, compliance, and workflow demands of real-world security operation
Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization →
The post Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
An iron curtain for AI: how to improve autonomous AI agent security | Kaspersky official blog
Many AI visionaries see the universal smart assistant — one that takes over all sorts of routine tasks — as the key direction for the technology’s evolution. Experiments in this field are already in high gear and are yielding some results. Since the start of the year, the internet has been buzzing with stories of the miracles worked by the open-source AI agent OpenClaw, also known as Clawdbot and Moltbot.
If you’ve been following our blog, you already know the drill: every leap forward in AI innovation right now seems to come with serious issues regarding security and privacy. To actually get things done, these agents require access to virtually all of your digital services: email, calendars, cloud storage, messaging apps, and many more.
However, until recently, not a single project — OpenClaw included — could actually put a leash on these agents, or provide any real guarantee that they wouldn’t go off the rails. But that’s finally starting to change thanks to a new concept name IronCurtain — the brainchild of researcher Niels Provos.
The dangers of AI agents
Let’s keep the suspense going for a little longer, and first discuss what an AI agent gone rogue is actually capable of. It’s important to remember that at the most basic level, any modern AI tool is built on a language model — essentially a text-processing algorithm fed a massive volume of data in its training phase. The result is a statistical model capable of determining the probability of which word will most likely follow another.
A language model is a black box. In practice, this means nobody — not even its creators — fully understands exactly how an AI tool works under the hood. An obvious consequence is that AI developers themselves don’t entirely know how to control or restrict these systems at the model level; instead, they have to invent external guardrails of varying degrees of effectiveness and reliability.
Meanwhile, the methods used to bypass these safeguards often prove to be quite unexpected. For example, we recently shared how chatbots can be coaxed into forgetting almost all their safety instructions if you charm them with prompts written in verse.
But back to the threats posed by AI agents. The inability to fully control or predict the actions of smart assistants often leads to outcomes that no one could have expected. A prime example is the high-profile case where OpenClaw nuked every single email in its owner’s Gmail inbox — despite being explicitly told to wait for confirmation before doing anything — only to apologize afterwards and promise it wouldn’t happen again.
This chat between the OpenClaw bot and its owner resembles a conversation with a teenager who’s just messed up: “What did I tell you?!” – “Geez, Mom, I’m sorry, I won’t do it again — I promise.” Source
In another instance, a journalist testing an AI agent’s capabilities found that the system had pivoted to a highly questionable plan of action while executing a task. Instead of attempting a constructive solution, the agent decided to launch a phishing attack on the user. Seeing the system’s logic unfolding on the screen, the journalist immediately pulled the plug on the experiment.
Beyond spontaneous bad behavior, AI remains vulnerable to prompt injection attacks. In this type of attack, a threat actor smuggles their own malicious instructions into a command or the data being processed (direct prompt injection), or, in more sophisticated cases, even into third-party content used by the agent to do its job (indirect prompt injection). The large language model perceives these instructions as part of the user’s request; as a result, the AI may ignore its original constraints and help the attacker.
Additional danger stems from vulnerabilities within AI agents that could potentially allow attackers to access user data the agent is authorized to see — including passwords, encryption keys, and other secrets — or even grant the ability to execute arbitrary code on the host system.
Of course, this list of threats is by no means exhaustive. As we’ve said time and again, no one knows the full extent of the risks associated with AI. However, researcher Niels Provos recently proposed an approach to help put a leash on AI agents to make them more controllable and mitigate the potential threats.
How Iron Curtain makes AI agents safe to use
IronCurtain, Niels Provos’s new open-source solution, uses an added security buffer between the AI agent and the user’s system.
Instead of giving the AI agent free rein on your system, it forces the agent to work from inside an isolated virtual machine that sits between the bot and your actual accounts. This isolation allows the agent’s actions to be separated from the user’s own, reducing risks if the agent decides to go rogue.
Why did Provos use the name “IronCurtain”? Many will presume it’s a reference to the notional barrier that divided Western Europe and the Warsaw Pact countries of Eastern Europe in the second half of the 20th century. However, the author himself states there is no such connection.
The project’s name doesn’t refer to a political metaphor at all, but rather… to a theatrical term. In a theater, an iron curtain is a fireproof partition between the stage and the auditorium. If a fire breaks out on stage, the curtain drops to prevent the flames from spreading. By this analogy, the AI agent is “on stage”, while the user’s system with all its files and data is in the “auditorium”. IronCurtain acts as that protective barrier between them.
However, isolation is only part of the solution. At the heart of the system is a security policy that determines which actions the agent is permitted to perform. The design of IronCurtain allows the user to write their own security instructions — defining what the agent can and can’t do — in plain English (no word of support for other languages yet).
The system then uses AI to transform these instructions into a formalized security policy applied to the agent’s actions across the board. Every request it makes to external services — whether email, messaging, or file management — is run through this policy to make sure the agent isn’t overstepping its bounds.
The security policy set during the initial configuration can — and should — evolve over time. According to Provos’s vision, when encountering ambiguous situations, the AI should reach out to the user with follow-up questions and update the instructions from their responses.
IronCurtain is available to anyone on GitHub, but making it work on your computer takes some serious engineering skills. Remember too that, for now, this is merely an R&D prototype.
Can IronCurtain be a proper fix?
Niels Provos’s solution sure does look interesting, and aligns with some experts’ views on an ideal approach to AI safety. However, it’s too early to consider IronCurtain a definitive solution to the problem.
Its biggest obvious flaw is that it’s a resource hog. Using an isolated environment for every AI agent requires serious computing power, and complicates infrastructure — especially when multiple agents are running simultaneously.
Furthermore, as mentioned, IronCurtain is still very much in the prototype phase: practical effectiveness hasn’t been proven yet. In particular, there’s a significant question mark over how accurately natural language instructions can be converted into formalized security policies.
It’s also a coin toss as to whether this architecture can truly stop prompt injection. Sadly, the root of the problem is the fundamental inability of modern LLMs to distinguish between data and instructions.
Despite all its limitations, IronCurtain represents a major step toward safer and tamer AI agents. At a minimum, this approach provides a vital blueprint for future development, allowing for a substantive debate on how to make such systems reliable and effective.
How to use AI assistants safely
While architectures like IronCurtain remain experimental in nature, the responsibility for using AI safely rests primarily with users themselves. So, to wrap things up, let’s break down a few simple rules to help mitigate risks when working with AI assistants.
- Evaluate the risks properly before experimenting with the next big thing. Think about what could go wrong and the possible fallout. The internet is already full of real-life examples from users, so you can learn from that collective experience.
- Avoid giving AI agents excessive access privileges. If an assistant only needs access to a calendar or a specific folder, don’t connect your entire email, cloud storage, and work accounts to it.
- Verify AI actions before they’re executed. Even if your agent offers to automate a task, it’s better to manually confirm important operations like sending emails, deleting data, or making payments. Yes, the agent might still misbehave, but you should at least try to rein it in.
- Install a reliable security solution on all the devices you use, just in case a mischievous AI agent brings back some nasty malware as a souvenir from its uncontrolled wanderings across the web.
What else you should know about using AI safely:
Kaspersky official blog – Read More
ANY.RUN at RSAC™ 2026: Highlights & Industry Recognition
We’ve just returned from RSAC
2026 in San Francisco, one of the most important cybersecurity events of the year.
As always, the conference brought together security leaders, vendors, and practitioners from around the world. For the ANY.RUN team, it was a packed few days of meetings with customers and partners, insightful presentations, and strong industry recognition.
ANY.RUN at RSAC 2026
This year, ANY.RUN was represented at RSAC by our CCO, Alex, who attended the conference to meet with partners and customers, discuss ongoing collaborations, and exchange insights on evolving threat detection challenges.
Beyond scheduled meetings, RSAC also provided an opportunity for deeper conversations in a more informal setting, including a partner dinner where key topics around SOC workflows, threat intelligence, and detection strategies were discussed.
These interactions are an important part of how we continue to align ANY.RUN’s solutions with real-world needs across security teams and MSSPs.
Industry Recognition at Global InfoSec Awards 2026
During RSAC 2026, ANY.RUN was honored at the Global InfoSec Awards 2026, organized by Cyber Defense Magazine.
We received recognition in two categories:
- Innovative Malware Analysis for Interactive Sandbox
- Market Leader in Threat Intelligence
The recognition reflects what our solutions deliver in practice: higher detection rates, lower MTTR, and faster decision-making through interactive analysis and real threat context. It highlights unified workflows that keep investigations within a single process from monitoring to response, along with the ability to scale across both enterprise SOCs and MSSPs.
About ANY.RUN
ANY.RUN provides interactive malware analysis and actionable threat intelligence designed for modern security teams.
Our solutions combine an Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds to help SOC and MSSP teams analyze threats faster, investigate incidents with deeper context, and detect emerging attacks earlier.
Trusted by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN maintains a strong focus on data protection and compliance, while continuously evolving its solutions to address real-world threat detection and investigation challenges for SOCs and MSSPs.
The post ANY.RUN at RSAC™ 2026: Highlights & Industry Recognition appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
A cunning predator: How Silver Fox preys on Japanese firms this tax season
Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them
WeLiveSecurity – Read More
RSAC 2026 wrap-up – Week in security with Tony Anscombe
This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven’t caught up with
WeLiveSecurity – Read More