2024 has been an eventful year in the world of cybersecurity, with new trends emerging and malware families evolving at an alarming rate. Our analysis highlights the most prevalent malware families, types, and TTPs of the year, giving you a snapshot of the changing threat landscape. 

This report is based on the analysis of 4,001,036 public sessions conducted by ANY.RUN’s community inside the Interactive Sandbox over the last 12 months, which is 1 million more than the 2,991,551 sessions in 2023. Of these, 790,549 were tagged as malicious and 211,517 as suspicious, reflecting a rise in suspicious activity compared to the 148,124 suspicious sessions identified in 2023. 

ANY.RUN identified an astonishing 1,872,273,168 IOCs in 2024—nearly three times more than the 640,158,713 IOCs uncovered in 2023. This sharp growth highlights not only the expanding use of the platform but also the improved threat coverage and detection capabilities of ANY.RUN. 

Top Malware Types in 2024 

In 2024, Stealers dominated with 51,291 detections, marking a significant rise compared to 2023, when they were in second place with just 18,290 detections. This highlights their growing popularity among attackers for data theft. 

Loaders moved to second place in 2024 with 28,754 detections, a slight increase from their leading position in 2023, where they accounted for 24,136 detections. Despite the shift, Loaders remain a critical component in delivering malware payloads. 

RATs (Remote Access Trojans) maintained their third position but saw an increase from 17,431 detections in 2023 to 24,430 detections in 2024, reflecting their continued importance in providing attackers remote control over compromised systems. 

To collect fresh threat intelligence on emerging cyber threats, make sure to use TI Lookup, a service that lets you search ANY.RUN’s vast database of the latest threat data.

It features over 40 search parameters, including IPs, mutexes, and even YARA rules, allowing you to pin the tiniest artifacts to specific malware and phishing attacks and enrich your TI with additional context and actionable indicators.

Learn more about Threat Intelligence Lookup →

Top Malware Families in 2024 

In 2024, Lumma Stealer jumped straight to the top with 12,655 detections, taking over the ranking from nowhere as it wasn’t seen in the 2023 report. Its rapid rise shows how quickly cybercriminals have adopted it. 

Agent Tesla moved up to second place in 2024 with 8,443 detections, compared to 4,215 detections in 2023 when it was in third place. Its continued presence shows it remains a go-to choice for attackers. 

AsyncRAT claimed third place in 2024 with 8,257 detections, while in 2023, Redline was the most popular malware family with 9,205 detections, and Remcos followed with 4,407 detections. 

With TI Lookup, you can track all of these and other malware families and stay updated on their evolving infrastructure. Here is an example of a request to TI Lookup to find Lumma domains:

The service provides a list of relevant domain names used by the malware. Many of them are marked with the malconf tag, indicating that these domains were extracted from Lumma samples’ configurations.

Top MITRE ATT&CK Techniques in 2024 

The MITRE ATT&CK framework is a globally recognized resource that breaks down how attackers operate, mapping their tactics and techniques into clear categories. It’s an invaluable tool for cybersecurity professionals to understand and respond to threats effectively. 

In 2024, ANY.RUN recorded over 1.4 million matches to ATT&CK techniques, a noticeable increase from 1.2 million matches in 2023.  

The rankings saw some significant changes: Masquerading (T1036.005), the top technique in 2023 with 486,058 matches, was overtaken in 2024 by PowerShell (T1059.001) and CMD (T1059.003), which led the list with 162,814 and 148,443 matches, respectively. 

In 2024, new techniques appeared that were absent in 2023, including Python scripting (T1059.004) with 50,002 matches, System Checks for Sandbox Evasion (T1497.001) with 47,630 matches, and Linux Permissions Modification (T1222.002) with 38,760 matches. 

Top TTPs highlights: 

• Scripting Dominance (T1059.001 & T1059.003): 
  PowerShell and Windows CMD remain the top tools for attackers, with over 310,000 detections combined. Their flexibility and integration with systems make them ideal for executing malicious commands. Monitoring script activity and implementing strict execution policies are critical defenses. 

• Evasion Tactics on the Rise (T1497.003 & T1036.003): 
  Sandbox evasion through time-based delays (134,260 detections) and masquerading via renamed system utilities (126,008 detections) highlight attackers’ focus on stealth. Behavioral analysis and anomaly detection can help counter these techniques. 

• Targeting Defenses (T1562.002): 
  Disabling antivirus tools was detected 122,256 times in 2024, showcasing its effectiveness for attackers. Organizations must invest in layered defenses that can identify and respond to tampering attempts in real-time. 

• Exploiting System Services (T1569.002 & T1218.011): 
  Adversaries frequently used system services like Rundll32 (86,760 detections) and service execution (51,345 detections) to execute malicious code while blending into normal operations.  

• Phishing and Email Collection (T1114.001 & T1566.002): 
  Techniques like local email collection (85,546 detections) and spearphishing links (35,272 detections) remained effective, especially in targeted attacks. Robust email filtering and user training remain vital for reducing these risks. 

Report Methodology 

This report is built on insights from 4,001,036 tasks submitted to our public threat database in 2024. Each task represents the hard work and curiosity of our community of researchers, who used ANY.RUN to uncover threats and analyze malware.  

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s products →

The post Malware Trends Overview Report: 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Every ticking second is a chance for cyber threats to creep in. 

For businesses, the stakes couldn’t be higher. One malicious email opened by an employee, and the malware can spread across office computers faster than mushrooms after rain. The consequences? Lost data, financial damage, and a hit to your company’s reputation. 

To stop these threats before they cause harm, businesses need to stay prepared. 

This is where YARA rules come in. They help cybersecurity teams to detect potential threats, simplify the process, and deliver clear, actionable insights to fight back against potential dangers. 

In this article, we’ll dive into the crucial role of YARA rules, how they work, and how their integration into ANY.RUN’s sandbox helps teams to detect and handle cyber threats with confidence and efficiency. 

What Are YARA Rules?

Just as a lighthouse guides sailors safely past hidden rocks and treacherous waters, YARA rules guide cybersecurity professionals by identifying malicious patterns and offering a clear signal amidst the noise of potential threats. 

YARA, funnily enough, stands for Yet Another Ridiculous Acronym. However, its actions are far more serious than its name suggests. YARA rules play a critical role in cybersecurity, helping professionals identify and classify malware by matching patterns in files, processes, or even memory. 

At its core, YARA is a rule-based system that scans for specific characteristics, like unique strings or byte sequences, that are commonly found in malicious software. Think of it as a highly specialized filter that can sift through data to pinpoint potential threats with precision and speed. 

How YARA Helps Organizations Detect Cyber Threats 

YARA simplifies threat detection by identifying malicious patterns in files, processes, and memory with precision. It automates the scanning process, reducing the need for manual analysis and speeding up response times.  

The beauty of YARA lies in its adaptability. Organizations can customize rules to target specific threats or emerging malware families, ensuring their defenses evolve alongside the threat landscape.  

Combined with the real-time capabilities of ANY.RUN’s sandbox, this framework not only detects threats but also helps businesses understand their behavior, enabling them to mitigate risks before serious damage occurs. 

Main benefits of YARA rules in organizations: 

• Quickly identify threats, reducing the time spent on manual analysis. 
• Tailored to detect specific malware families or new attack patterns. 
• Minimize false positives and improve detection accuracy. 
• Streamline the scanning process, saving resources and improving efficiency. 
• Reduce the financial impact of cybersecurity breaches by catching threats early. 

How does YARA work? 

YARA operates as a powerful pattern-matching tool that scans files, processes, or memory dumps for specific characteristics. At its core, it relies on rules, predefined sets of instructions that describe what YARA should look for and under what conditions it should flag something as suspicious. 

Here’s how the main process works: 

1. Creating rules: The first step in using YARA is to create a rule. A rule defines the patterns or conditions YARA will look for in the data.  
2. Scanning the target: Once the rules are defined, YARA scans the target data, this could be a file, a process, or even a memory dump. During the scan, YARA compares the data against the strings and conditions outlined in the rules. 
3. Matching patterns: If YARA identifies patterns in the data that match those defined in the rule, it triggers a match. For example, if a rule is designed to detect ransomware, it might flag a file containing encryption-related commands or unique file headers used by ransomware families. 
4. Flagging threats: When a match occurs, YARA provides a detailed report of the findings. This includes information about the matched rule, the specific patterns detected, and where they were found in the data. 
5. Providing insights: The output from YARA gives cybersecurity teams actionable insights. These insights help analysts decide whether the flagged file or process is malicious and what steps to take next. 

YARA Elements You Should Know

YARA rules are made up of several essential components, each playing a critical role in detecting and classifying malware. To better understand how YARA works, let’s break down its key elements and examine an example. 

Meta section 

The meta section provides descriptive information about the rule. This includes details like the author, creation date, a brief description of the rule’s purpose, and additional contextual data. While it doesn’t affect the execution of the rule, it helps organize and document it for future use. 

Strings section

This section contains the patterns the rule will search for in files or processes. These patterns can include: 

• Text strings: Words or phrases often found in malicious code. 

• Hexadecimal sequences: Byte-level patterns unique to malware. 

• Regular expressions: For advanced matching of dynamic content. 

Condition section 

The condition section defines the logic that determines when the rule will trigger. It specifies the criteria for matching patterns, such as requiring a minimum number of matches from the strings section or looking for specific file characteristics. 

Real-World Example of YARA Rule 

Below is an example of a YARA rule created to detect the Sakula malware family. It shows how each element works together to flag potential threats: 

rule Sakula {    
   meta:        
   author = "ANY.RUN"        
   date = "2024-12-11"        
   description = "Detects Sakula samples"        
   family = "Sakula"        
   sample1= "https://app.susp.io/tasks/3c4f4b5e-7254-4fb4-a31e-4617b03110b1"        
   sample2= "https://app.susp.io/tasks/5722f2e3-64fc-49a4-beac-600c992ab765"        
   hash1 = "5de4e79682120f5b115eea30ce2da200df380f6256f03e38d3692a785f06fd64"    
   hash2 = "a9430482e5695c679f391429c7f7a6d773985f388057e856d50a54d1b19f463b"    
strings:        
   $s1 = "%d_of_%d_for_%s_on_%s"        
   $s2 = "/c ping 127.0.0.1 & del "%s""        
   $s3 = "/c ping 127.0.0.1 & del /q "%s""        
   $s4 = "cmd.exe /c rundll32 "%s""        
   $s5 = "I'm a virus. My name is sola" ascii        
   $s6 = "Local\SM0:%d:%d:%hs" wide        
   $s7 = "Vxzruua/5.0" ascii        
   $s8 = "MicroPlayerUpdate.exe" ascii         
   $s9 = "CCPUpdate" ascii        
   $s10 = "Self Process Id:%d" ascii        
   $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }        
   $op2 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }    
condition:        
   uint16(0) == 0x5a4d and        
   (4 of ($s*) or         
   any of ($op*))}

Let’s highlight some of the key elements in this rule:

Meta

• author = “ANY.RUN”: Indicates the creator of the rule. 
• date = “2024-12-11”: Specifies when the rule was written, useful for tracking its relevance. 
• description = “Detects Sakula samples”: Explains the rule’s purpose—targeting Sakula malware. 
• family = “Sakula”: Categorizes the malware family the rule focuses on. 
• sample1, sample2: Links to Sakula malware samples used for testing and refining the rule. 
• hash1, hash2: Cryptographic hashes uniquely identifying the malware samples analyzed.

Strings

• $s6 = “Local\SM0:%d:%d:%hs” wide
  This is a wide string (Unicode) that includes placeholders for integers (%d) and a short string (%hs).
• $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
  This is a hexadecimal byte sequence that represents a specific operation or function in the malware.

Condition

• uint16(0) == 0x5a4d:
  This condition checks if the first two bytes of the file are 0x5a4d, which is the signature for a Windows PE (Portable Executable) file.
• (4 of ($s) or any of ($op))**:
  This condition checks if at least 4 of the strings ($s1 to $s9) are found in the file, or if any of the hexadecimal byte sequences ($op1 or $op2) are found in the file.  

See YARA in Action 

To better understand how this YARA rule detects Sakula malware, you can observe its behavior in real time using ANY.RUN’s Interactive Sandbox.

View analysis session 

This analysis session showcases the malware’s activity and how the rule effectively identifies its patterns.  

ANY.RUN’s interactive sandbox is a dynamic environment where cybersecurity teams can analyze files and observe their behavior in real time. Unlike traditional sandboxes, ANY.RUN lets users interact with the malware, providing deeper insights and faster results. 

YARA is an inseparable part of this process. By integrating YARA rules into the sandbox, ANY.RUN identifies malicious patterns in files and processes with precision and speed. 

ANY.RUN experts are constantly adding new YARA rules to the core of our malware sandbox, making the analysis process faster and saving security teams loads of time.  

You can easily upload any suspicious file or link into the sandbox, and during the analysis, YARA rules will kick in. If there’s malware hiding in your file or link, the sandbox will spot it for you. 

For example, after analyzing the following sample in the ANY.RUN sandbox, the process fgfkjsh.exe was flagged as malicious with the “MassLogger” tag.

By clicking on the process located on the right side of the screen, the sandbox displays the message “MASSLOGGER has been detected (YARA).” 

But note that YARA isn’t working alone: ANY.RUN’s sandbox also uses Suricata rules to make detections even sharper.  

Discover more about Suricata rules and how they complement YARA in this detailed article: Detection with Suricata IDS 

YARA Search in TI Lookup 

YARA rules aren’t just limited to the sandbox: they’re also available in ANY.RUN’s Threat Intelligence (TI) Lookup. This tool lets you search a massive database of malware artifacts using YARA rules, helping you find connections between known threats and your own files. 

It’s perfect for teams handling big datasets or looking to spot trends in cyber threats. By combining YARA’s precision with the power of the sandbox and TI Lookup, ANY.RUN gives businesses a complete solution to fight back the evolving threats. 

Check out this video on YARA Search in TI Lookup.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post YARA Rules: Cyber Threat Detection Tool for Modern Cybersecurity appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Lilith >_> of Cisco Talos discovered these vulnerabilities. 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

Static login vulnerability 

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

• TALOS-2024-2034 (CVE-2024-39754): Static login 

Ten .cgi vulnerabilities 

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist_sync.cgi 

• TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution 
• TALOS-2024-2000 (CVE-2024-34166): Command injection 
• TALOS-2024-2046 (CVE-2024-36258): Buffer overflow  

Login.cgi 

• TALOS-2024-2017 (CVE-2024-39363): Persistent XXS 
• TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection 
• TALOS-2024-2019 (CVE-2024-36290): Buffer overflow  
• TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload  

internet.cgi 

• TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection 
• TALOS-2024-2021 (CVE-2024-39288): Buffer overflow 
• TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow  

firewall.cgi 

• TALOS-2024-2023 (CVE-2024-39367): Command injection  

adm.cgi 

• TALOS-2024-2024 (CVE-2024-39756): Buffer overflow 
• TALOS-2024-2025 (CVE-2024-37184): Buffer overflow 
• TALOS-2024-2026 (CVE-2024-39294): Buffer overflow 
• TALOS-2024-2027 (CVE-2024-39358): Buffer overflow 
• TALOS-2024-2028 (CVE-2024-21797): Command injection 
• TALOS-2024-2029 (CVE-2024-37357): Buffer overflow 
• TALOS-2024-2030 (CVE-2024-39774): Buffer overflow 
• TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution 
• TALOS-2024-2032 (CVE-2024-37186): OS command injection 
• TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection 

wireless.cgi 

• TALOS-2024-2039 (CVE-2024-39357): Buffer overflow 
• TALOS-2024-2040 (CVE-2024-39359): Buffer overflow 
• TALOS-2024-2041 (CVE-2024-36493): Buffer overflow 
• TALOS-2024-2042 (CVE-2024-39603): Buffer overflow 
• TALOS-2024-2043 (CVE-2024-39757): Buffer overflow 
• TALOS-2024-2044 (CVE-2024-34544): Command injection 

usbip.cgi 

• TALOS-2024-2045 (CVE-2024-36272): Buffer overflow 

qos.cgi 

• TALOS-2024-2047 (CVE-2024-36295): Command injection 
• TALOS-2024-2048 (CVE-2024-39299): Buffer overflow 
• TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow 

openvpn.cgi 

• TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control 
• TALOS-2024-2051 (CVE-2024-38666): Configuration control 

nas.cgi 

• TALOS-2024-2052 (CVE-2024-39602): Configuration control 
• TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control 
• TALOS-2024-2054 (CVE-2024-39360): Command injection 
• TALOS-2024-2055 (CVE-2024-39280): Configuration control 
• TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control 
• TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal 
• TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection 

Three .sh vulnerabilities 

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw_check.sh and update_filter_url.sh vulnerabilities. 

testsave.sh 

• TALOS-2024-2035 (CVE-2024-39773): Firmware update 

fw_check.sh 

• TALOS-2024-2037 (CVE-2024-39273): Firmware upload  

update_filter_url.sh 

• TALOS-2024-2038 (CVE-2024-39604): Argument injection 

Cisco Talos Blog – ​Read More

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”  

One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month. This vulnerability, CVE-2025-21298, is a critical remotely exploitable vulnerability that can be triggered by sending a malicious email to a victim running a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and can be triggered when the victim previews the malicious email. This vulnerability has been assigned a CVSS 3.1 score of 9.8. Microsoft recommends disabling RTF as mitigation for this vulnerability. 

CVE-2025-21294 is a critical vulnerability in Microsoft Digest Authentication that affects multiple versions of Windows and Windows Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. To exploit this vulnerability, an attacker would need to win a race condition. 

CVE-2025-21295 is a critical remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and does not require user interaction for successful exploitation.  

CVE-2025-21296 is a critical remote code execution vulnerability in BranchCache. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft assesses that an attacker would need to be on the same network to successfully exploit this vulnerability.  

CVE-2025-21297 is another critical remote code execution vulnerability in Windows Remote Desktop Services. Microsoft has assessed that this vulnerability is “less likely to be exploited” and that it would require an attacker to win a race condition for exploitation to be successful. This vulnerability affects multiple versions of Windows Server.  

CVE-2025-21298 is a critical remote code execution vulnerability in Windows Object Linking and Embedding (OLE). It could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft recommends disabling RTF as a mitigation for this vulnerability.

CVE-2025-21307 is a critical remote code execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability, if successfully exploited, could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to vulnerable systems.  

CVE-2025-21311 is a critical privilege escalation vulnerability in NTLMv1. This vulnerability can be exploited remotely and could allow an attacker to increase their level of access to vulnerable systems. Microsoft recommends disabling the use of NTLMv1 as a mitigation for this vulnerability. 

CVE-2025-21362 – is a critical remote code execution vulnerability in Microsoft Excel. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This vulnerability can also be triggered via the preview pane.  

CVE-2025-21380 is a critical information disclosure vulnerability affecting Azure Marketplace SaaS Resources. According to Microsoft this vulnerability, which could enable an attacker to disclose information, has been mitigated.  

CVE-2025-21385 is a critical information disclosure vulnerability affecting Microsoft Purview. This vulnerability is due to a Server-Side Request Forgery (SSRF) vulnerability that Microsoft reports has been mitigated. 

Talos would also like to highlight the following important vulnerabilities that Microsoft considers to be “more likely” to be exploited:   

• CVE-2025-21189 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21210 – Windows BitLocker Information Disclosure Vulnerability 
• CVE-2025-21219 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21268 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21269 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21292 – Windows Search Service Elevation of Privilege Vulnerability 
• CVE-2025-21299 – Windows Kerberos Security Feature Bypass Vulnerability 
• CVE-2025-21314 – Windows SmartScreen Spoofing Vulnerability 
• CVE-2025-21315 – Microsoft Brokering File System Elevation of Privilege Vulnerability 
• CVE-2025-21328 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21329 – MapUrlToZone Security Feature Bypass Vulnerability 
• CVE-2025-21354 – Microsoft Excel Remote Code Execution Vulnerability 
• CVE-2025-21364 – Microsoft Excel Security Feature Bypass Vulnerability 
• CVE-2025-21365 – Microsoft Word Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64432 – 64436, 64444 – 64457. There are also these Snort 3 rules: 301113, 301114, 301117 – 301123. 

Cisco Talos Blog – ​Read More

Pivoting in cyber threat intelligence refers to using one piece of data to find and explore related information and expand your understanding of a threat. It lets discover hidden connections between indicators of compromise and find potential vulnerabilities before they are exploited.  

Why pivoting matters 

Cyber threat intelligence concentrates on indicators of compromise, IOCs. These are data points or artifacts (like IP addresses, domain names, file hashes, email addresses, etc.) that indicate a potential or actual malicious activity. Pivoting is researching links and correlations between IOCs and thus discovering new IOCs relevant to the same attack, malware, or threat agent.  
 
Pivoting helps make CTI proactive, helps predict and prevent the unfolding of an attack or the emergence of new threats. 
 
Threat intelligence and pivoting are critical for businesses and corporate security because they enhance an organization’s ability to anticipate, detect, and respond to cyber threats. By leveraging actionable insights from threat intelligence and pivoting to discover deeper connections, businesses can protect their assets, reduce risk, and strengthen overall cybersecurity posture. 

Note that the definition of pivoting in threat intelligence is different to that in cyber security. Generally, it’s a popular term used in many other fields.   

In CS the term is usually used by pen testers and hackers. Here pivoting is the act of an attacker moving from one compromised system to one or more other systems within the same or other organizations. Pivoting is fundamental to the success of advanced persistent threat (APT) attacks.  

How it works 

Pivoting for CTI shows its potential when IOCs are viewed not as “atomic” but rather as complex objects. Taken by themselves, they are, so to say, “backward-looking”, they lack context. IOCs are good forensic material, but not enough for predictive, proactive security effort.  

Pivoting focuses on behaviors. Indicators are linked through their behavioral commonalities. This approach grasps IOC relationships, helps discover new ones, predict their behavior, generalize tendencies, and eventually build strong and adaptive defense based on the understanding of adversaries. 

Pivoting routine 

Pivoting is not just about techniques and tools; it is rather about a certain approach or dare say a certain mindset. Once adopted, it’ll give your threat intelligence a new depth and perspective.   

The most basic algorithm is:  

• Select an initial indicator. For example, a suspicious IP. Or a domain name associated with a known threat or attack. 
• Analyze the indicator with a tool of your choice. 
• Decompose the indicator. Understand its parameters. Define which of them could signal malicious behavior or be linked to other artifacts. 
• Find and analyze linked artifacts. Pay attention to those that haven’t been yet connected with a threat or an attack.  
• Research the discovered data. 
• Draw actionable insights. 

Where to start  

You can start with network indicators pivoting.  Basic network IOCs are IPs, domains, SSL/TSL certificates. They all have certain parameters: for example, registrar and registrant for domains, hosting provider or server type for an IP address, issue date or issuer for a certificate. 
 
One of the most powerful tools for IOC research is ANY.RUN’s Thread Intelligence Lookup. It lets you search threat artifacts by about 40 search parameters, including YARA and Suricata rules, combine them and get real-time updates of search results.  

TI lookup is integrated with the Interactive Sandbox used for researching malware in action within a safe virtual environment.   
 
For example, let us try using ASN to identify network infrastructure.  
 
1. Find IPs assigned to the “Autonomous System of Iranian Research Organization for Science and Technology” using TI Lookup. The search query is:  

2. Look at the list of IP addresses in the search results. Some of them have tags assigned to them. The tag “Stormkitty” refers to the eponymous stealer — StormKitty. 

ANY.RUN’s Cybersecurity Blog – ​Read More