GorillaBot: Technical Analysis and Code Similarities with Mirai

Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn. 

In this article, we’re diving into GorillaBot, a newly discovered botnet built on Mirai’s code. It’s been spotted launching hundreds of thousands of attacks across the globe, and it’s got some interesting tricks up its sleeve.  

We’ll walk through how it talks to its command-and-control (C2) servers, how it receives instructions, and the methods it uses to carry out attacks.  

Overview 

“GorillaBot” is a newly discovered Mirai-based botnet that has been actively targeting systems in over 100 countries. According to the NSFOCUS Global Threat Hunting team, the botnet issued more than 300,000 attack commands between September 4 and September 27. 

This malware variant poses a serious cyber threat, affecting a wide range of industries — including telecommunications, financial institutions, and even the education sector — prompting an urgent need for response and mitigation. 

Key Takeaways 

  • GorillaBot is a Mirai-based botnet that reuses core logic while adding custom encryption and evasion techniques. 
  • It targets a wide range of industries and has launched over 300,000 attacks across more than 100 countries. 
  • The botnet uses raw TCP sockets and a custom XTEA-like cipher for secure C2 communication. 
  • GorillaBot includes anti-debugging and anti-analysis checks, exiting immediately in containerized or honeypot environments. 
  • The malware authenticates to its C2 server using a SHA-256-based token generated from a hardcoded array and server-provided value. 
  • Attack commands are encoded and hashed, then passed to a Mirai-style attack_parse function for execution. 

Technical Analysis  

In this section, we will examine the technical details of GorillaBot, focusing on its C2 communication protocol and how it receives information about its targets and the attack methods it’s instructed to use. 

Anti-Debugging  

Before proceeding with its main activity, GorillaBot performs checks to detect the presence of debugging tools. One of its first actions is to read the /proc/self/status file and inspect the TracerPid field. This field indicates whether the process is being traced – a value of 0 means it’s not, while a non-zero value suggests a debugger is attached. 

Learn more about evasion in malware

The process of reading the /proc/self/status file and inspect the TracerPid field 

Another technique that “GorillaBot” uses to detect debuggers is to register a callback function that will pause and then exit upon receiving a SIGTRAP signal. 

Detection of debuggers by Gorillabot 

Environment check  

GorillaBot is highly selective about the environment it runs in. It first ensures that it is operating on a legitimate target machine rather than inside a honeypot or container. To do this, it performs several checks for system-level artifacts that may not be present in those scenarios. 

The code shows that it initially checks for access to the “/proc” file system – a virtual file system that provides user-space processes with information about the kernel and running processes.  

In a typical Linux environment, the presence of the “/proc” file system is expected. If it’s missing, GorillaBot assumes it is being analyzed in a honeypot and exits immediately. 

/proc check to detect non-standard environments 

GorillaBot uses another check to detect Kubernetes containerization by examining a specific file in the “/proc” directory, namely “/proc/1/cgroup.” It looks for the string “kubepods.” If this string is found, GorillaBot recognizes that it is running in a container and terminates its execution to avoid detection. 

Containerization checks by GorillaBot 

Encryption & Decryption Algorithms  

One of the more intriguing features of this Mirai-based botnet is its use of encryption and decryption techniques to obscure key strings and hide internal configuration data.

Researchers observed that GorillaBot uses a simple Caesar cipher with a shift of 3 to decrypt specific strings. In addition, it employs a custom block cipher – which we’ll examine later in this article – to decrypt more complex internal configurations. These methods help the malware avoid static detection and make reverse engineering more difficult. 

The use of Caesar cipher by GorillaBot 

Network Communication  

Initial C2 Communication  

Like many other Mirai-based botnets, GorillaBot uses raw TCP sockets for command-and-control (C2) communication, rather than higher-level protocols like HTTP or HTTPS.  

Learn to analyze malware’s network traffic

The process begins with the malware establishing a connection to its C2 server – the server’s IP address is decrypted at runtime using what appears to be a custom implementation of the XTEA (Extended Tiny Encryption Algorithm).  

The cipher closely resembles TEA or XTEA, employing a 128-bit (16-byte) hardcoded key for both encryption and decryption. 

During each iteration of the algorithm, a delta value is subtracted from the sum. 

Decryption of C2 IP using custom XTEA-like algorithm

The function begins by calculating the length of the provided data. It does this by iterating until it encounters the first NULL character.  

Once the length is known, it proceeds to pack the key. Since the key is given as a serialized sequence of bytes, it must be organized into an array of four 32-bit words before the function can perform either encryption or decryption. 

Key packing and data length calculation before encryption/decryption 

After the key is prepared and the data length calculated, the function checks a mode parameter to decide whether to encrypt or decrypt. It then enters a loop to iterate over the data for either process.

Mode parameter check 

GorillaBot authentication mechanism with the C2 server   

After successfully connecting to the C2 server, the malware initiates the authentication process to identify itself to the server.  

This process begins with the malware sending a 1-byte TCP probe packet to the C2 server. In response, the server replies with a 4-byte TCP packet that includes a “magic” 4-byte value. This value is then used to generate the bot ID for the authentication process. 

View analysis in ANY.RUN’s Interactive Sandbox

C2 communication shown in ANY.RUN’s Interactive Sandbox

The process begins with a returned 4-byte magic value, which is combined with a 32-byte encrypted array to generate the bot ID or authentication token.  

A key aspect of this process is the method used to combine the 32-byte array with the 4-byte magic value to create the token.  

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Get 14-day free trial


The same cipher previously described is applied to decrypt the 32-byte hardcoded array. Once decrypted, the data is copied into a separate buffer and concatenated with the 4-byte magic value. 

The combined data is then hashed using SHA-256 before being sent back to the command and control (C2) server as the identification token. 

Decrypted array and magic value combined, then hashed with SHA-256 

In the screenshot below, you can see the generated SHA-256 token, which is created by combining the 4-byte magic value received from the C2 server with the decrypted 32-byte hardcoded array. 

The generated SHA-256 token 

The C2 (Command and Control) communication process continues after the C2 server authenticates the botnet.  

In response, the server sends a packet that appears to be a flag, labeled “01,” to confirm the bot’s authenticity. On the C2 server side, most likely a list of hashes representing botnet IDs, such as SHA-256, is maintained. This list is used to verify the received ID, ensuring that the connection is from a legitimate bot instance rather than an unauthorized source attempting to interact with the C2 infrastructure. 

C2 server responds with 0x01 flag to confirm bot authentication 

In the screenshot above, after successfully sending the SHA-256 hash (bot ID), the bot receives a 1-byte response. This response is checked against “01,” which indicates successful authentication. Following this, the bot replies with a 4-byte packet containing the bytes “00 00 00 01.” This is likely the bot acknowledging receipt of the flag packet. 

After, GorillaBot exhibits behavior similar to the original Mirai bot. The malware calculates the length of a provided 32-byte ID buffer and sends this length to the command and control (C2) server. Once the length is successfully sent, the malware transmits the actual ID buffer to the server. 

Mirai code snippet 

The code snippet above is taken from the leaked Mirai source and includes a check for the number of arguments. If a second argument is provided, it is copied to “id_buf,” which has a length of exactly 32 bytes.  

This behavior is consistent with that observed in the Mirai-based variant “GorillaBot.” During its initial communication with the command-and-control (C2) server, GorillaBot first sends the length of the buffer, followed by the buffer itself – mirroring the original Mirai implementation. 

GorillaBot mimics Mirai by sending buffer length, then the buffer 

The screenshot below summarizes the initial C2 communication, validating the connection to ensure it comes from the intended source. This is crucial so that only authenticated connections receive attack commands. 

Summary of initial C2 communication 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Processing Attack Commands  

Once the bot has been authenticated, the next stage in the C2 communication process involves receiving a packet containing attack target information – essentially, instructions to initiate an attack. 

In the example screenshot below, we can see that the first step taken is to read the length of the packet. This confirms the malware’s ability to retrieve data over the socket from the command and control (C2) server.  

After successfully reading the length, the malware proceeds with execution. It reads the expected length of the attack packet, then uses that length to read the corresponding number of bytes from the C2 server, which constitutes the attack packet. 

Reading packet length from C2 server to begin data retrieval 

Attack Command packet structure  

Below is the structure of the received attack packet along with the corresponding packet capture bytes. The time gap in receiving the length of the entire packet (highlighted in red in the capture) and the actual attack packet is minimal. As a result, it may seem as if they were concatenated into one packet and received simultaneously; however, they were actually received separately. 

The packet structure is quite simple. First, there is a 32-byte hash of the entire received packet, referred to as SHA-256 (highlighted in yellow). Following this, the encoded bytes represent the attack command (highlighted in blue), which will be decoded using the same Caesar shift cipher mentioned earlier before being parsed. 

Struct attack_pkt { 

uint16_t expected_pkt_length; 

char encoded_cmd_sha256_hash[SHA256_BLOCK_SIZE]; 

char encoded_cmd[ENCODED_CMD_LENGTH]; 

};
Attack packet

Once the integrity of the encoded attack command is verified, it is decoded and passed to “attack_parse.” This function is responsible for extracting target information, determining the specific attack method, and then handing off control to the appropriate attack function for execution.

Decoded attack command passed to attack_parse 

The “attack_parse” function closely resembles the original Mirai code, as it processes the provided buffer containing the attack command in a similar manner. Notably, it supports attack commands both with and without options, just like the original Mirai. 

Mirai vs. GorillaBot

Conclusion 

GorillaBot may not reinvent the wheel, but it’s a strong reminder that old code can still pack a punch when reused in clever ways. By building on Mirai’s foundation and adding its own tweaks to communication, encryption, and evasion techniques, GorillaBot proves that legacy malware lives on and evolves. 

To better understand threats like GorillaBot, the use of malware analysis tools like ANY.RUN’s Interactive Sandbox is important. It lets you dive into live malware behavior: from unpacking encrypted payloads to monitoring C2 communication in real time. 

Curious to see it in action? Try ANY.RUN now to explore malware samples like GorillaBot hands-on and uncover the tactics they use during attacks to strengthen your defenses. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

Indicators Of Compromise  

Hashes 

b482c95223df33f43b7cfd6a0d95a44cc25698bf752c4e716acbc1ac54195b55 (View sandbox analysis)  

IP Addresses and Domains  

http://193[.]143[.]1[.]70 (C2 server) 

193[.]143[.]1[.]59 (C2 server) 

The post GorillaBot: Technical Analysis and Code Similarities with Mirai appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The best private browser in 2025: where to flee from Chrome, Edge, and Firefox | Kaspersky official blog

Over the past few weeks, there’s been a series of unpleasant news items on advertising and user privacy in with regard to every major browser developer — except Apple: Google allowing ad tracking through digital fingerprinting; powerful ad blockers ceasing to work in both Edge and Chrome, and Mozilla revising its license agreement seemingly showing far more interest in user data than it used to. What does each of these new developments mean, and how can we now achieve a high level of privacy?

Google greenlights tracking fingerprints

Driven by regulators and user pressure, the internet giant spent years working on ways to track ad performance and deliver relevant ads without using the outdated and much-hated tracking methods: third-party cookies and browser fingerprinting. Google proposed FLoC, Ad Topics, and Privacy Sandbox as replacements, but they’ve probably have fallen short of the target. Therefore, the company backtracked on removing support for third-party cookies from Chrome. Meanwhile, Google’s ad network, the world’s most expansive, has allowed the collection of digital fingerprint data — including the user’s IP address — when displaying ads, as of February 2025. What this implies is that user browsers can be identified irrespective of cookie settings, incognito mode, or similar privacy measures. Digital fingerprinting is highly precise, and altering or disabling a fingerprint is a challenge.

Chrome and Edge pull the plug on extensions that block ads and tracking

Chrome is based on the open-source Chromium browser, which is fully financed by Google. You could say that Chrome is Chromium with Google services built into it, but dozens of other browsers — including Edge and Opera — are also based on Chromium.

Chromium developers have been gradually transitioning the browser extension platform from the Manifest V2 framework to the new Manifest V3 for years. The platform consists of several components, but the most important is the complete list of functions and capabilities provided to the extension by the browser.

V3 has several advantages, but it also cuts Chrome/Edge/Opera/Vivaldi extensions off from certain useful features that are vital for content blockers. Although popular plug-ins such as uBlock Origin and Adblock Plus already have a Manifest V3 implementation, only the V2 version does a good of job blocking ads.

The Chrome Web Store has long stopped approving extensions based on Manifest V2. Since late fall of 2024, new versions of Chrome first started displaying warnings that installed Manifest V2 extensions had to be disabled, and then began to deactivate them automatically. The user can still re-enable them, but it obviously won’t last long.

Microsoft Edge was caught doing the same thing in February. If Google’s current plan holds, even enterprise Chrome users will see Manifest V2 extensions shut down by June 2025, which likely will be followed by Manifest V2 support pulled entirely from Chromium.

What are the developers of dozens of Chromium-based browsers going to do? Well, they’ll inevitably have to kill Manifest V2 support. And without it, your favorite ad blockers and privacy enhancers will stop working.

Mozilla sets its sights on the ad market, too

The non-profit Mozilla Foundation and its subsidiary Mozilla Corporation have always been in an awkward position, as their main source of income was partnerships with search engines — primarily Google. The current Mozilla management mainly consists of alumni from companies like Meta and eBay, which mainly rely on advertising for their revenue. It’s hardly surprising that as of late, Firefox development updates have increasingly angered fans of the browser’s privacy features.

Since version 128, Firefox has incorporated the Privacy-Preserving Attribution (PPA) system, which it’s testing in partnership with Facebook. And at the end of February 2025, the following notice appeared in the updated Firefox Terms of Use: “When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox”.

Users were furious. They interpreted this clause as explicit permission to resell their data and introduce other forms of tracking. Under public pressure, Mozilla amended the language to “You give Mozilla the rights necessary to operate Firefox”. The company’s argument that it had merely codified something the browser was already doing — and actually always had — left users unconvinced. After all, suspicious changes also occurred in other parts of the FAQ: for example, clauses that promised Firefox would never sell data to advertisers were removed.

That said, there were no actual changes to any of the browser’s relevant functionality. So it’s still safe to use Firefox for the time being. However, keep a close eye on any new features in each update. Consider disabling them or looking for an alternative to Firefox. If you want to be the first to know, subscribe to our blog, or follow our Telegram channel.

Nothing changes with Apple’s Safari

The vast majority of Apple users use the stock Safari browser, based on the WebKit engine. It has its own extension system — available through the App Store and utilizing Apple’s special mechanisms for blocking content in the browser. While Safari might miss out on the most powerful extensions like uBlock Origin and NoScript, robust day-to-day tools for blocking ads and tracking are available both in the form of Safari’s standard settings and extensions such as Ghostery.

Apple continues to emphasize privacy as its key differentiator from other platforms, so no alarming concessions to the advertising industry have been observed in Safari. Unfortunately, although you can still install this browser on Windows, it stopped updating back in 2010, so Windows users face a tough choice in the next section…

The best browser for privacy protection in 2025

Starting in June, the popular browsers Chrome and Edge will become largely ineffective for privacy-minded users — no matter what extensions or settings they may have used. The same is true for most other Chromium-based browsers.

As for Firefox, despite Mozilla’s dubious statements, the browser still supports Manifest V2 extensions, and the developers have said they’d maintain this support for the foreseeable future. Still, if you want to stop worrying about controversial features like “attribution” being turned on semi-covertly, you could always migrate to a browser that uses the Firefox source code but is more focused on keeping things private. The main options here are Tor Browser, and popular Firefox forks such as Waterfox and LibreWolf.

Despite its “dark-web browser” image, Tor Browser is also perfectly suitable for viewing ordinary websites — although its default privacy settings are so stringent they can cause many websites to display oddly or be partially non-functional. This is easy to fix by switching the cookie and script settings to a less paranoid mode.

Waterfox is a reasonable middle-of-the-road between Firefox and Tor Browser: no developer telemetry, no built-in services like Pocket, and Firefox ESRs (extended support releases) are used as the source code. The downsides include a small development team, so Waterfox lags behind Mozilla in terms of security patches (although not by much).

Focused on privacy, LibreWolf is positioned as Firefox without all the extras. The browser never “calls home” (it excludes all types of manufacturer reports and telemetry), and it features the popular ad blocker uBlock Origin out of the box. LibreWolf closely follows Firefox in terms of updates, and it’s available on Windows, macOS, and several flavors of Linux.

The Chromium-based Brave browser, which has built-in privacy tools even before you add any extensions, remains a popular option. Its developers have pledged to keep a number of key Manifest V2 extensions on life support: AdGuard AdBlocker, NoScript, uBlock Origin, and uMatrix. However, Brave has several controversial extras, such as a built-in crypto wallet and an AI assistant named “Leo”.

In short, there’s no such thing as a perfect browser, but if you try ranking these options from the most private but least user-friendly to the easiest to use but still private, your chart should look like this: Tor Browser, LibreWolf, Waterfox, Brave, and Firefox.

Any browser, except Tor and LibreWolf, will require a secure configuration and a couple of the aforementioned extensions to block trackers and scripts for maximum privacy.

In Brave and Firefox, you can also enable “Tell websites not to sell or share my data” — a feature established under the new Global Privacy Control initiative. Certain jurisdictions, such as the European Union, the United Kingdom, California, Colorado, and Connecticut, legally require websites to respect this flag, but this safeguard is administrative rather than technical in nature.

Your easiest option, and one that significantly enhances online privacy when using any browser, is installing a Kaspersky security solution for home users and activating Private Browsing. By default, the feature runs in detection mode only, without blocking anything: it detects, counts, and logs attempts at collecting data. If you activate blocking mode, data collection is blocked by default on all sites, with the following exceptions:

  • webites you’ve added as exclusions
  • Kaspersky and its partner websites
  • websites that we know may be rendered inoperable as a result of tracking services being blocked

You can still configure the component to block data collection on the above sites too. Private Browsing has certain limitations. You can manage it both from the Kaspersky application and using the Kaspersky Protection extension for most browsers.

Want to learn more about how browsers track your activity and how to minimize this tracking? More on the topic:

Kaspersky official blog – ​Read More

Fog ransomware publishes victim’s IP | Kaspersky official blog

We closely monitor changes in the tactics of various cybercriminal groups. Recently, experts from Kaspersky’s Global Research and Analysis Team (GReAT) noted that, after attacks with Fog ransomware, malefactors were publishing not only victim’s data, but also the IP addresses of the attacked computers. We haven’t seen this tactic used by ransomware groups before. In this post, we explain why it’s important and what the purpose of this tactic is.

Who is the Fog ransomware group, and what’s it known for?

Since the ransomware business began to turn into a full-fledged industry, the involved cybercriminals have been splitting themselves up into various specializations. Nowadays, the creators of the ransomware and the people directly behind the attacks are most often not connected in any way — the former develop the malware along with a platform for attacks and subsequent blackmailing, while the latter simply buy access to the code and infrastructure under the ransomware-as-a-service (RaaS) model.

Fog ransomware is one such platform — first noticed in early 2024. The malware is used to attack computers running either Windows or Linux. As is customary among ransomware operators in recent years, the affected data is not only encrypted, but also uploaded to the attackers’ servers, and then, if the victim refuses to pay, published on a TOR site.

Attacks using Fog were carried out against companies working in the fields of education, finance, and recreation. Often, criminals used previously leaked VPN access credentials to penetrate the victim’s infrastructure.

Why they are publishing IP addresses?

Our experts believe that the main purpose of publishing IP addresses is to increase the psychological pressure on victims. Firstly, it increases the traceability and visibility of an incident. The effect of publishing the name of a victim company is less impressive, while the IP address can quickly tell not only who the victim was — but also what exactly was attacked (whether it was a server or a computer in the infrastructure). And the more visible the incident, the more likely it is to face lawsuits over data leakage and fines from regulators. Therefore, it’s more likely that the victim will make a deal and pay the ransom.

In addition, publishing an IP address sends a signal to other criminal groups, which can use the leaked data. They become aware of the address of a knowingly vulnerable machine, and have access to the information downloaded from it, which can be studied and used for further attacks on the infrastructure of the same company. This, in turn, makes the consequences of publication even more unpleasant, and therefore becomes an additional deterrent to ignoring the blackmailer’s demands.

How to stay safe

Since most ransomware attacks still start with employee error, we first recommend periodically raising staff awareness about modern-day cyberthreats (for example, using the online training platform.)

In order not to lose access to critical data, we, as usual, recommend making backups and keeping them in storage isolated from the main network. To prevent the ransomware from running on the company’s computers, it’s necessary that each corporate device with access to the network be equipped with an effective security solution. We also recommend that large companies monitor activity in the infrastructure using an XDR class solution, and, if necessary, involve third-party experts in detection and response activities.

Kaspersky official blog – ​Read More

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame

Tomorrow, and tomorrow, and tomorrow: Information security and the Baseball Hall of Fame

Welcome to this week’s edition of the Threat Source newsletter. 

“Tomorrow, and tomorrow, and tomorrow / Creeps in this petty pace from day to day / To the last syllable of recorded time.” – Shakespeare’s Macbeth 

“But I am very poorly today and very stupid and I hate everybody and everything. One lives only to make blunders.” – Charles Darwin’s letter to Charles Lyell 
 
“Another day, another box of stolen pens.” – Homer Simpson 

Some people are blessed with the ability to deal with monotony, and some are maddened beyond all recourse by it. In the worlds of both information security and baseball, the ability to overcome tedium is paramount. To be great — not just very good — requires the kind of devotion that many people cannot fathom. 

Ichiro Suzuki is one the greatest players in baseball history and a phenomenal hitter. His dedication led him to practice his swing every day, taking hundreds of swings from both sides of the plate even though he solely batted from the left. He practiced from the right side simply to stay in balance. Ichiro understood that changing your perspective enhances your strengths. 

In cybersecurity, the ability to track and defend against living-off-the-land binaries (LoL bins) is the kind of tedium that garners Hall of Fame results. Cybercriminals and state-sponsored actors exploit built-in tools across all platforms, hiding in the noise of trusted and normal traffic. Once logged in, often with valid credentials, detecting and countering their activity becomes a much more challenging and tedious game, especially for newly minted junior analysts.  

Take some time each day to look at the correlated data from a different source, a different perspective. If you normally look at reconnaissance activity from specific devices, take a few moments to trace the path attackers took across non-security devices for a fuller understanding.  

Ultimately, it comes down to knowing your environment, just as Ichiro worked through the tedium to know his swing. Take the time to learn it from several angles instead of simply banging away from the same view. When all else fails, take a break, walk away, and breathe before getting back in the batter’s box and taking another 500 swings at the tee to become a .300 hitter.

Pssst! The devil on William’s shoulder here. Want to procrastinate and avoid today’s tedium? Curious about what Talos does and how we defend organizations from the latest cyber attacks? Check out this new animated video. From threat hunting, detection building, vulnerability discoveries and incident response, we show up every day to try and make the internet a safer place.

The one big thing 

Cisco Talos released a blog highlighting research into UAT-5918 which has been targeting critical infrastructure entities in Taiwan. UAT-5918’s post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

Why do I care? 

Understanding the actions of motivated and capable threat actors is at the core of defending against them. Threat actors continue to leverage a plethora of open-source tools for network reconnaissance to move through the compromised enterprise, and we see this with UAT-59128. UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.  

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. They harvest credentials by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket.

So now what? 

Use the IOCs associated with the campaign in the blog post to search for evidence of incursion within your own environment. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs across platforms and datasets.

Top security headlines of the week

New ChatGPT attacks: Attackers are actively exploiting a flaw in ChatGPT that allows them to redirect users to malicious URLs from within the artificial intelligence (AI) chatbot application. There were more than 10,000 exploit attempts in a single week originating from a single malicious IP address (DarkReading)  

Not your usual spam: Generative AI spammers are brute forcing social media and search algorithms with nightmare-fuel videos, and it’s working. (404 media

Zero-day Windows vulnerability: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. (The Hacker News)

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Amsterdam 2025 FIRST Technical Colloquium Amsterdam (March 25-27, 2025) Amsterdam, NL 
RSA (April 28-May 1, 2025)  San Francisco, CA   
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA  
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86 
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
Typical Filename: VID001.exe 
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Detection Name: Simple_Custom_Detection 

Cisco Talos Blog – ​Read More

UAT-5918 targets critical infrastructure entities in Taiwan

UAT-5918 targets critical infrastructure entities in Taiwan

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

  • Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
  • UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
  • We assess that UAT-5918’s post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

UAT-5918’s activity cluster

Overview 

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

UAT-5918 activity cluster overlapping 

UAT-5918’s tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit

UAT-5918 targets critical infrastructure entities in Taiwan
Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

Victimology and targeted verticals 

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

UAT-5918 targets critical infrastructure entities in Taiwan

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 


Initial access and reconnaissance 

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:users<username>Desktop 
cmd /c dir c:users<username>Documents 
cmd /c dir c:users<username>Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working_directory> 
powershell Get-MpPreference 


Post-compromise tooling 

UAT-5918’s post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

Reverse proxies and tunnels 

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

UAT-5918 targets critical infrastructure entities in Taiwan

The Earthworm (ew) tool for establishing proxies is also run: 

UAT-5918 targets critical infrastructure entities in Taiwan

Port scanning 

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

UAT-5918 targets critical infrastructure entities in Taiwan

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor’s use is: 

Run[.]exe -h <ip_range>/24 -nopoc -pwdf pw[.]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost[.]exe proxy -l *:22 -k 9999 
svchost[.]exe proxy -l *:443 -k 9999
svchost[.]exe proxy -hc -l *:443 -k 99997654
svchost[.]exe -hc proxy -l *:443 -k 99997654
svchost[.]exe proxy -l 443 –v

svchost[.]exe -type server -proto tcp -listen :443
svchost[.]exe -type server -proto http -listen :443
svchost[.]exe -type server -proto rhttp -listen :443

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

Additional network reconnaissance 

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft’s CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:Users<compromised_user>Desktopcports-x64/cports.exe 
C:Users<compromised_user>DesktopTCPViewtcpview64.exe

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell[.]exe -file C:ProgramDatasmblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy[.]exe -h 

Gathering local system information 

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value  
fsutil fsinfo drives
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value


Maintaining persistent access to victims 

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

UAT-5918 targets critical infrastructure entities in Taiwan

JuicyPotato is then run to spawn cmd[.]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:windowssystem32cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp[.]exe <web_shell> <user>@<IP>:/var/www/html/<web_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:ProgramDatabind.exe 

C:ProgramDatamicrobind.exe 

C:ProgramDatareverse.exe 

cmd /c C:/ProgramData/microbind.exe 

Backdoored user account creation 

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname_username> <password> /add 
net localgroup administrators <username> /add
net group domain admins <username> /add /domain


Credential extraction 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

Mimikatz: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

UAT-5918 targets critical infrastructure entities in Taiwan

LaZagne: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe 
C:/ProgramData/LaZagne.exe -all >> laz.txt

Registry dumps: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

UAT-5918 targets critical infrastructure entities in Taiwan

Google Chrome information: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad[.]exe: 

BrowserDataLite_x64.exe 

C:Windowssystem32NOTEPAD.EXE Chrome_LoginPass.txt
C:Windowssystem32NOTEPAD.EXE Chrome_Cookies.txt
C:Windowssystem32NOTEPAD.EXE Chrome_History.txt

SNETCracker: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

UAT-5918 targets critical infrastructure entities in Taiwan

Finding strings related to credentials such as: 

findstr /s /i /n /d:C: password *.conf 


Pivoting to additional endpoints 

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec[.]py Administrator:<password>@<IP> -codec big5 1> [][]127[.]0[.]0[.]1ADMIN$__<timestamp> 2>&1 

cmd[.]exe /Q /c echo python wmiexec[.]py Administrator:<password>@<IP> -codec big5 ^> \<hostname>C$__output 2^>^&1 > C:WindowsjFcZpIUm[.]bat & C:Windowssystem32cmd[.]exe /Q /c C:WindowsjFcZpIUm[.]bat & del C:WindowsjFcZpIUm[.]bat

cmd[.]exe /Q /c net use [][]<IP>c$ /user:<username> 1> [][]127[.]0[.]0[.]1<share>__ 2>&1
cmd[.]exe /Q /c dir [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1
cmd[.]exe /Q /c copy fscan64[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1
cmd[.]exe /Q /c copy [][]<IP>c$<scan_result>.txt 1> [][]127[.]0[.]0[.]1<share>__ 2>&1
cmd[.]exe /Q /c copy fscan[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1
cmd[.]exe /Q /c copy mimikatz[.]exe [][]<IP>c$ 1> [][]127[.]0[.]0[.]1<share>__ 2>&1

File collection and staging 

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD[.]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target_server_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db_backup_location>.bak' 


Coverage 

Ways our customers can detect and block this threat are listed below. 

UAT-5918 targets critical infrastructure entities in Taiwan

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


IOCs 

IOCs for this research can also be found at our GitHub repository here

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391 

Cisco Talos Blog – ​Read More

ANY.RUN Wins in the Best Threat Intelligence Service Category at Cybersecurity Excellence Awards 2025 

It is with great pleasure and gratitude that we announce our victory at the Cybersecurity Excellence Awards 2025, an annual competition for individuals and companies that stand out in the field of information security held by a major online community Cybersecurity Insiders. 

Our service, ANY.RUN Threat Intelligence Lookup, was named best among leading threat intelligence solutions. 

About ANY.RUN TI Lookup 

TI Lookup is a contextual search service available online and through API. Its database contains all information on cyberthreats acquired by ANY.RUN. Users can browse it, analyze millions of public interactive analysis sessions, and gain insight on how to ensure a better security strategy for their company. 

Homepage of ANY.RUN Threat Intelligence Lookup 

Equip your team with the malware analysis tool they need to keep your business secure



Sign up for ANY.RUN now


Our achievement was made possible thanks to TI Lookup’s unique features. This solution not only helps accelerate and simplify research, as well as gain access to up-to-date information on emerging threats, but also enhances the decision-making process and ensures the security of infrastructures in a resource-saving way.  

In the words of organizers 

Holger Schulze, founder of Cybersecurity Insiders and organizer of the Cybersecurity Excellence Awards, noted ANY.RUN’s efforts in inspiring the community and providing top-tier solutions: 

“We congratulate ANY.RUN on this outstanding achievement in the ‘Threat Intelligence’ category of the 2025 Cybersecurity Excellence Awards. As we celebrate 10 years of recognizing excellence in cybersecurity, your innovation, commitment, and leadership set a powerful example for the entire industry.” 

Our win is your win 

We’re happy to share the news with our wonderful audience and thank you for your never-ending support! The victory wouldn’t be possible without our partners, users of ANY.RUN products, and the cybersecurity community in general. 

We’ll continue to work towards our common goal of establishing a safe and efficient platform to benefit malware analysts from around the globe. 

About ANY.RUN 

ANY.RUN provides cutting-edge malware analysis services for security teams: ANY.RUN sandbox, TI Lookup and TI Feeds. They help speed up the workflow of SOC specialists, prevent financial and reputational damage of businesses, as well as allow analysts to act proactively in order to ensure the security of their networks. 

Request free trial of ANY.RUN’s services →

The post ANY.RUN Wins in the Best Threat Intelligence Service Category at Cybersecurity Excellence Awards 2025  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Decoding a Malware Analyst: Essential Skills and Expertise

Malware analysis is a promising yet competitive career path, where education must be taken seriously to stand up against ever-evolving threats. The demand for such professionals has never been higher, but the requirements and expectations are not low either.  

A specific mindset and a number of well-developed soft skills are no less vital than a set of technical skills directly related to performing the job. Nurturing this mindset, as well as developing the skills, is a challenge not only for future professionals, but for educational institutions that offer cybersecurity programs.

1. Technical Skills 

Here go hands-on abilities critical for understanding and countering malware, acquaintance with research methods and tools. 

  • Static And Dynamic Malware Analysis.  

Static analysis is examining malware without executing it—disassembling code, inspecting binaries, and identifying suspicious strings or functions. Dynamic analysis includes running malware in a controlled environment to observe its runtime behavior, such as network traffic or system changes. 

  • Networking and Protocol Analysis. 

Malware often communicates with C2 servers or propagates through networks. Recognizing abnormal network traffic is crucial. 

  • Programming Proficiency. 

Writing scripts or tools in languages like Python or C to automate analysis, unpack malware, or simulate its effects will be a part of work routine. This amplifies efficiency and enables custom solutions for unique threats. The skill is gained through coding practice, creating YARA rules, and engaging with cybersecurity coding projects. 

One great source of technical skills are quality learning programs and courses from validated experts — like ANY.RUN’s Security Training Lab. Based on nine-year experience in threat hunting and analysis, the program contains 30 hours of academic content, educational videos, interactive tests and practical tasks. It is designed with both students and universities demands in mind.  

Give students job-ready skills without designing a course. Learn more about
Security Training Lab
Get a quote for your university 



Get a quote


2. Analytical Thinking (Problem Solving)  

 These skills form a mental framework optimal for dealing with complex threats. 

  • Pattern Recognition.  

Identifying similarities between malware samples aids in detecting new variants and understanding campaigns. It is cultivated by reviewing diverse samples and indicators, studying threat intelligence reports, and building mental or written databases of common tactics. 

  • Root Cause Analysis and Logical Deduction.  

An analyst must be able to find the underlying issue behind an incident to prevent recurrence and refine defensive measures. For this, endpoint forensics, registry analysis, and analyzing system logs are of great help. 
Deduction is applied to infer malware functionality from incomplete or obscured data (e.g., encrypted payloads) and assume effective countermeasures. 

  • Hypothesis Testing. 

Formulating and testing assumptions helps understand malware behavior and intent. One can learn it by practicing in controlled environments, experimenting with malware configurations

3. Communication and Reporting Skills 

Analysis is useless if it can’t be shared effectively with teams and stakeholders. 

  • Technical Writing. 

Clear, concise reports (e.g., detailing a malware’s TTPs—tactics, techniques, procedures) and executive summaries bring actionable insights for security professionals or executives, are crucial for team coordination and legal use. 

  • Collaboration and Information Sharing.  

Participating in cybersecurity communities, contributing to threat intelligence platforms help enhance the collective understanding of threats and fuel professional growth of each member.  

  • Verbal Explanation and visualization. 

Very much in demand is the capability to translate complex findings into terms for non-experts, to bridge the gap between analysts and decision-makers. An expert should be ready to speak at professional events and be coherent at meetings of any audience and level.   
Non the less important is competence is fluency in visualizing information, creating diagrams, attack trees, or timelines of malware behavior.  

It is important to make professional communication your joy and habit since your early days in the industry. ANY.RUN’s Security Training Lab, for instance, supports a private discord community for students with tips, lifehacks, and the latest news in cybersecurity, fostering collaboration and knowledge sharing. 


ANY.RUN cloud interactive sandbox interface

Security Training Lab

Discover ANY.RUN’s educational program for universities:

  • 30 Hours of Academic Content
  • Access to ANY.RUN Sandbox
  • Practical Learning



4. Adaptability and Creativity 

Malware is evolving, so analysts must too, often thinking outside conventional approaches. 

  • Learning Agility.  

Quickly grasping new tools, techniques, or malware trends keeps analysts relevant as threats shift and is vital for staying proactive. New career opportunities are always round the corner for those ready to take online courses, read research papers, attend webinars, explore industry news, and experiment with emerging tech. 

  • Out-of-the-Box Thinking.  

Crafting novel ways to unpack obfuscated code or bypass anti-analysis tricks allows to outsmart malware authors. Problem-solving is fostered by brainstorming alternative approaches, collaborating with peers, and studying unconventional attack methods. 

  • Resilience and Flexibility. 

Adaptability helps survive and progress when malware refuses to behave predictably, resists analysis, and high-end tools fail.  

5. Experience  

Practical exposure builds the intuition and context that technical skills alone can’t provide. 

  • Familiarity with Malware Families. 

Real-world experience with topical malware is key to identifying common traits and recognizing advanced techniques.  

  • Incident Response and Threat Hunting. 

Hands-on experience with real malware outbreaks sharpens decision-making under stress and reveals real-world impact. Experience in live environments develops a proactive approach to identifying and mitigating threats, bridges theory and practice. 

  • Tool Mastery.

Proficiency with services and instruments is what delimits pro from a wannabe. The skill is built by consistent use in labs, following tutorials, and experimenting with new features or plugins. 

Experience is gained through practice only, so practice must be an integral element of education. Our Security Training Lab program introduces students to a range of tools for malware, script, and document analysis, including full access to ANY.RUN’s Interactive Sandbox.  

The Program’s structure and contents with one of the modules expanded 

Why universities choose ANY.RUN’s Security Training Lab 

The program provides educational institutions with the content, tools, and resources they need to train students on actual threats, ensuring they graduate with the skills and knowledge to be effective cybersecurity professionals.  It is designed to: 

  • Close the skills gap — equip students with hands-on experience that employers demand. 
  • Expand curriculum — Add real-world malware investigations to theory-based lectures.  
  • Ensure expert support — Customers get assistance from our malware analyst team. 
  • Help with efficient course management — Monitor student progress and performance. 

Conclusion 

A good malware analyst blends these skills seamlessly. Technical prowess without analytical thinking is like having tools but no plan — ineffective against clever malware. Experience sharpens both, while adaptability keeps them current. Communication ties it all together, ensuring the analyst’s work drives real outcomes, not just personal insight. Each skill is achievable with deliberate effort, practice, and a mindset that thrives on challenge — qualities any aspiring analyst can cultivate over time. 

Educational solutions like ANY.RUN’s Security Training Lab empower universities to deliver a modern curriculum that meets industry standards without recruiting specialized faculty, to make their cybersecurity program engaging and relevant, and to prepare students to handle actual threats. 

Learn more about Security Training Lab and get a quote for your university 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request free trial of ANY.RUN’s services → 

The post Decoding a Malware Analyst: Essential Skills and Expertise appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

New Arcane stealer spreads disguised as Minecraft cheats | Kaspersky official blog

At the end of 2024, our experts discovered a new stealer called Arcane, which collects a wide range of data from infected devices. Now cybercriminals have taken it a step further by releasing ArcanaLoader — a downloader that claims to install cheats, cracks, and other “useful” gaming tools, but which actually infects devices with the Arcane stealer. Despite their lack of creativity in naming the loader, their distribution scheme is actually quite original.

Hopefully, you already know not to download random files from YouTube video descriptions. No? Then keep reading.

How the Arcane stealer spreads

The malicious campaign distributing the Arcane stealer was active even before the malware itself appeared. In other words, cybercriminals were already spreading other malware, eventually replacing it with Arcane.

Here’s how it worked. First, links to password-protected archives containing malware were placed under YouTube videos advertising game cheats. These archives always included a seemingly harmless BATCH file named start.bat. This file’s purpose was to launch PowerShell to download another password-protected archive containing two executable files: a miner and the VGS stealer. The VGS stealer was later replaced with Arcane. At first, the new stealer was distributed in the same way: YouTube video, first malicious archive, then second one, and bingo: Trojan on the victim’s device.

A few months later, the criminals upgraded their approach. Under the YouTube video they started linking to ArcanaLoader — a downloader with a graphical interface, supposedly needed to install cheats, cracks, and similar software. In reality, ArcanaLoader infected devices with the Arcane stealer.

Inside the client — various cheat options for Minecraft

Inside the client — various cheat options for Minecraft

The operation didn’t end with ArcanaLoader. The attackers also set up a dedicated Discord server to embellish their scheme. Among other things, this server is used to recruit YouTubers willing to post links to ArcanaLoader in their video descriptions. The requirements for recruitment are minimal: at least 600 subscribers, over 1500 views, and at least two uploaded videos with links to the downloader. In exchange, participants are promised a new role on the server, the ability to post videos in the chat, instant addition of requested cheats to the downloader, and potential income for generating high traffic. Whether any of these unwitting malware distributors actually received payments is unknown.

The ArcanaLoader Discord server has over 3000 members

The ArcanaLoader Discord server has over 3000 members

All communication on the ArcanaLoader Discord server is in Russian, and our telemetry shows the highest number of victims are in Russia, Belarus, and Kazakhstan. We can conclude from this that Arcane primarily targets Russian-speaking gamers.

How dangerous is the Arcane stealer?

A stealer is a type of malware that steals login credentials and other sensitive information, sending them to attackers. This information helps cybercriminals gain access to accounts in games, social networks, and more. Regarding Arcane, its capabilities are constantly evolving, with cybercriminals actively updating the stealer’s code. At the time of publication of this post, Arcane could steal the “golden classics”: usernames, passwords, and payment card details. The main sources of information for the stealer are browsers based on Chromium and Gecko engines, which is why we recommend against storing such confidential information in browsers. It’s better to use a trusted password manager.

The stealer has another method for extracting cookies from Chromium-based browsers, and stolen cookies can be used for various malicious purposes, including hijacking a YouTube channel. For how exactly this works, read the Securelist study.

In addition to browser data, Arcane steals configuration files, settings, and account information from the following applications:

  • VPN clients. OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, HideMyName, PIA, CyberGhost, ExpressVPN.
  • Network clients and utilities. Ngrok, PlayIt, Cyberduck, FileZilla, DynDns.
  • ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber.
  • Email clients.
  • Game clients and services. Riot Client, Epic Games, Steam, Ubisoft Connect, Roblox, Battle.net, various Minecraft clients.
  • Cryptocurrency wallets. Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi.

An impressive list, right? Arcane also steals various system information. The stealer tells attackers what version of the OS is installed, when it was installed, the Windows activation key, details of the infected system’s hardware, screenshots, running processes, and saved Wi-Fi passwords.

How to protect yourself from Arcane

The attackers started by simply placing links to malicious archives under YouTube videos, and later set up their own Discord server and created a downloader with a graphical interface. Of course, all of this was done to give the scam false credibility, luring in potential victims. From this campaign, we can see that cybercriminal groups today are highly adaptable, quickly shifting their distribution strategies and methods.

To learn more about other types of stealers and their capabilities, don’t miss these posts:

Subscribe to our blog and follow our Kaspersky Telegram channel to stay informed on the latest cybersecurity threats. Also, be sure to share this post with anyone who frequently plays games but may not be aware of the dangers.

Kaspersky official blog – ​Read More

Expose Android Malware in Seconds: ANY.RUN Sandbox Now Supports Real-Time APK Analysis 

It’s here! The news security teams have been waiting for: ANY.RUN now fully supports Android OS in its interactive sandbox! 

Now, you can investigate Android malware in a real ARM-based sandbox, exactly as it would behave on an actual mobile device. No more blind spots or unreliable analysis. 

With this release, ANY.RUN allows SOC teams, incident responders, and threat hunters to analyze Android threats faster, more efficiently, and with greater accuracy while reducing operational costs. 

And the best part? Android OS support is available to everyone, including Free plan users! 

Why Your Team Needs Mobile Threat Analysis Inside ANY.RUN’s Android Sandbox 

Android malware is a direct risk to businesses, financial institutions, and enterprise security teams. Attackers are targeting mobile devices to steal credentials, infiltrate corporate networks, and compromise financial systems.  

Without real-time mobile threat analysis, businesses face delayed detection, higher security costs, and increased exposure to cyber threats. 

Now you can interact with APK files in a fully controlled environment, track malicious activity in real time, and generate in-depth reports: all in one convenient place. 

By analyzing Android threats inside ANY.RUN’s secure cloud-based environment, businesses can: 

  • Spot Android malware in seconds: Run suspicious APKs in a real Android environment and catch threats before they spread. 
  • See exactly what malware is doing: Watch how it abuses permissions, steals data, or makes shady network connections, no more guesswork. 
  • Make Android threat investigations easier: Quickly analyze mobile malware without slowing down your team or piling on extra work. 
  • Take full control of your data: Analyze Android threats in a private, secure environment where only your team has access, no third parties involved. 
  • Improve collaboration: Generate structured reports with detailed APK insights, making escalation and knowledge sharing between your team more effective. 

How to Get Started with ANY.RUN’s Android Sandbox 

Getting started is quick and easy.  

Since ANY.RUN is fully cloud-based, there’s no need to download or install complicated software. Just sign up and follow these simple steps to start analyzing right away: 

  1. Select Android OS – Before launching an analysis, choose Android from the operating system menu. 
  1. Upload the APK file – Drag and drop the file into the sandbox. 
  1. Start the investigation – Run the file and observe its behavior in real time. 

Give your security team the speed to analyze APK files and detect threats instantly with ANY.RUN Interactive Sandbox 



Sign up for free


See It in Action: Analyzing Mobile Malware Inside ANY.RUN’s Android Sandbox 

Let’s look at real-world malware cases to see how ANY.RUN’s interactive sandbox makes Android threat analysis easier and more effective. 

One notorious Android malware family is Coper, a banking trojan that targets financial apps, steals user credentials, and intercepts SMS messages. Attackers use it to bypass two-factor authentication (2FA) and take full control of compromised devices. 

With ANY.RUN’s Android OS sandbox, we can break down exactly how this malware behaves in real time. 

View analysis session 

Coper analyzed inside Android OS

Instant Detection with Interactive Analysis 

The first thing you’ll notice after running an analysis is that ANY.RUN immediately flags suspicious activity. In this case, we see a red alert in the top right corner, signaling that the APK file is performing dangerous actions. 

Fast detection of malicious activities 

Since the sandbox is fully interactive, we can engage with the app just like on a real Android device. This means: 

✔ Opening the malware-infected app and seeing how it behaves 
✔ Granting or denying permissions to observe how it reacts 
✔ Triggering functions like keylogging to uncover hidden actions 

Digging into the Tree of Processes 

To understand how Coper operates under the hood, we check the Process Tree section, which provides a structured breakdown of all executed processes. 

Here, you can: 

  • See which processes are spawned by the malware 
  • Identify connections to suspicious services or commands 
  • Detect any attempts to gain persistence or execute additional payloads 

The Process Tree is located in the right part of the analysis screen, giving a clear and organized view of how the APK interacts with the system.  

Instead of manually tracking logs, security teams get a clear breakdown of malicious actions in a simple, visual format. 

Malicious process carried out by Coper inside ANY.RUN sandbox 

Understanding the Attack Tactics with MITRE ATT&CK Mapping 

Next, we head to the MITRE ATT&CK Matrix section, which helps map out exactly what techniques and tactics Coper is using. 

Inside ANY.RUN, this can be found under the MITRE ATT&CK tab, where you get a structured breakdown of: 

  • The specific attack techniques used (e.g., credential theft, keylogging, SMS interception) 
  • The broader tactics the malware follows (e.g., persistence, privilege escalation) 
  • Links to detailed explanations for deeper research 
MITRE ATT&CK techniques and tactics used by Coper

By clicking on any technique, you get a detailed description of how the attack works, making it easier to correlate threats and improve security defenses. 

Technique details inside Android sandbox 

Collecting IOCs for Threat Intelligence 

Once the analysis is complete, ANY.RUN generates structured, in-depth reports, allowing SOC teams to get: 

  • Malicious URLs and IP addresses 
  • Dropped or modified files 
  • Registry changes and system modifications 

These IOCs can be exported and shared for further action, helping organizations update security rules, improve detection, and prevent future infections. 

In this analysis of GoldDigger malware, we can see a collection of useful IOCs by clicking the “IOC” button in the top right corner of the screen. 

IOCs for further analysis collected inside ANY.RUN’s Android sandbox

Generating a Structured Report for Easy Sharing 

Once the analysis is complete, it’s time to generate a detailed report. In ANY.RUN, this can be done in the Reports section, allowing SOC teams to: 

✔ Quickly escalate cases with clear, organized evidence. 
✔ Share findings across teams for improved collaboration. 
✔ Enhance future detection strategies using real-world behavioral data. 

Report generated inside interactive sandbox

Having a clear, documented report helps SOC teams, threat hunters, and incident responders work more efficiently, ensuring that findings are communicated effectively across teams. 


ANY.RUN cloud interactive sandbox interface

Sandbox for Businesses

Discover all features of the Enterprise plan designed for businesses and large security teams.



Turn Your Team’s Hours of Android Malware Investigation into Minutes 

ANY.RUN’s Android OS support is a whole new way to investigate mobile threats with speed and precision.  

Whether your security team is tackling incident response, malware research, or threat hunting, this release helps businesses detect Android threats easier, cut investigation time, and strengthen security operations. 

  • It’s fast – No waiting for static scans or manual reverse engineering. See how an APK behaves in seconds 
  • It’s interactive – Click, explore, and engage with malware just like you would on a real Android device. 
  • It’s detailed – Track every action with process trees, MITRE ATT&CK mapping, and real-time network insights. 
  • It’s fully cloud-based – Run Android malware investigations anytime, anywhere, without worrying about infrastructure. 
  • It’s built for teams – Generate structured reports, share findings, and collaborate on investigations seamlessly. 

Start your first Android analysis today and experience the precision of mobile malware analysis inside a real ARM-based sandbox. 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request free trial of ANY.RUN’s services → 

The post Expose Android Malware in Seconds: ANY.RUN Sandbox Now Supports Real-Time APK Analysis  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Supply chain attack via GitHub Action | Kaspersky official blog

Attacks on open-source mostly start with publishing new malicious packages in repositories. But the attack that occurred on March 14 is in a different league — attackers compromised the popular GitHub Action tj-actions/changed-files, which is used in more than 23,000 repositories. The incident was assigned CVE-2025-30066.  All repositories that used the infected changed-files Action are susceptible to this vulnerability. Although the GitHub administration blocked changed-files Action and then rolled it back to a safe version, everyone who used it should conduct an incident response, and the developer community should draw more general lessons from this incident.

What are GitHub Actions?

GitHub Actions are workflow patterns that simplify software development by automating common DevOps tasks. They can be triggered when certain events (such as commits) occur at GitHub. GitHub has a kind of app-store where developers can take a ready-made workflow process and apply it to their repository. To integrate such a ready-made GitHub process into your CI/CD development pipeline, you only need one line of code.

changed-files compromise incident

On March 14, the popular tj-actions/changed-files GitHub Action — used to get any changed files from a project — was infected with malicious code. The attackers modified the process code and updated the version tags to include a malicious commit in all versions of changed-files GitHub Action. This was done on behalf of the Renovate Bot user, but according to current information the bot itself wasn’t compromised; it was just a disguise for an anonymous commit.

The malicious code in changed-files is disguised as the updateFeatures function, which actually runs a malicious Python script and dumps the Runner Worker process memory, then searches it for data that looks like secrets (AWS, Azure and GCP keys, GitHub PAT and NPM tokens, DB accounts, RSA private keys). If something similar is found, it’s written to the repository logs. Both the malicious code and the stolen secrets are written with simple obfuscation — double base64 encoding. If the logs are publicly available, attackers (and not only the operators of the attack, but anyone!) can freely download and decrypt this data. On March 15, a day after the incident was discovered, GitHub deleted the changed-files process, and the CI/CD processes based on it may have not functioned. After another eight hours, the process repository was restored in a “clean version”, and now changed-files is working again without surprises.

Incident Response

Since logs in public repositories are accessible to outsiders, they’re the most likely to have been affected by the leak. However, in an enterprise environment, relying solely on the assumption that “all our repositories are private” is also not a good idea. Companies often have both public and private repositories, and if their CI/CD pipelines use overlapping secrets, attackers can still use this data to compromise container registries or other resources. Containers or packages built by popular open-source projects can also be compromised in this scenario.

The authors of the ill-fated changed-files recommend analyzing GitHub logs for March 14 and 15. If unusual data is found in the changed-files subsection, it should be decoded to understand what information may have been leaked. Additionally, it’s worth examining GitHub logs for this period for suspicious IP addresses. All changed-files users are advised to replace secrets that could have been used in the build and leaked during this period. First of all, you should pay attention to repositories with public CI logs, and secondly, to private repositories.

In addition to replacing potentially compromised secrets, it’s recommended to download the logs for subsequent analysis, and then clear their public versions.

Lessons from the incident

The complexity and variety of attacks on the supply chain in software development are growing: we’ve already become accustomed to attacks in the form of malicious repositories, infected packages and container images, and we’ve encountered malicious code in test cases — and now in CI/CD processes. Strict information-security hygiene requirements should extend to the entire life-cycle of an IT project.

In addition to the requirement to strictly select the source code base of your project (open source packages, container images, automation tools), a comprehensive container security solution and a secrets management system are necessary. Importantly, the requirements for special handling of secrets apply not only to the project’s source code, but also to the development processes. GitHub has a detailed guide on securely configuring GitHub Actions — the largest section of which is devoted specifically to handling secrets.

Kaspersky official blog – ​Read More