A researcher has discovered a vulnerability in PyTorch, an open-source machine learning framework. The vulnerability, registered as CVE-2025-32434, belongs to the Remote Code Execution (RCE) class and has a 9.3 CVSS rating, meaning it is categorized as critical. Exploitation of CVE-2025-32434 under certain conditions allows an attacker to run arbitrary code when malicious AI model is being loaded on the victim’s computer. Anyone using PyTorch is advised to update the framework to the latest version as soon as possible.
The CVE-2025-32434 vulnerability
The PyTorch framework, among other things, allows users to save trained models to a file that stores the weights. And, of course, load them from the file using the torch.load() function. Trained models are often shared via various public repositories and, theoretically, they may contain malicious implants. Therefore, the official documentation of the PyTorch project recommends using the torch.load() function with the weights_only=True parameter for security purposes (this way, only primitive data types are loaded: dictionaries, tensors, lists, and so on).
The vulnerability CVE-2025-32434 exists due to an incorrectly implemented deserialization mechanism when loading a model. The researcher who discovered it, demonstrated that an attacker can create a model file in such a way that the weights_only=True parameter will lead to the exact opposite effect —while loading of this malicious model will lead to arbitrary code execution that can compromise the environment in which the model is run.
How to stay safe?
The researcher did not publish a detailed method for exploiting this vulnerability, and at the moment there is no evidence that someone is using CVE-2025-32434 in real attacks. However, the very fact of releasing a patch always attracts both researchers and attackers to the problem, so proof-of-concept exploits are most likely already being developed.
The team responsible for developing the PyTorch framework released update 2.6.0, in which the vulnerability CVE-2025-32434 was successfully fixed. All previous versions, up to 2.5.1, remain vulnerable and should be updated as soon as possible. If this is not possible for some reason, then researchers recommend to refrain from using the torch.load() function with the weights_only=True parameter and temporarily switch to alternative methods of model loading.
In addition, we recommend paying special attention to protecting virtual and cloud environments – this is easiest to do using specialized solutions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-21 19:06:372025-04-21 19:06:37Update PyTorch ASAP | Kaspersky official blog
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-18 15:06:462025-04-18 15:06:46CapCut copycats are on the prowl
Welcome to this week’s edition of the Threat Source newsletter.
As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives.
Lately, I’ve found myself thinking about these differences in the context of online interactions, particularly with search engines. I’ve become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It’s often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me.
It’s easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It’s not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language.
Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.”
I like it for three reasons:
You can try one of the public instances and check if you like it before you go all-in.
You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data.
With Opensearch it seamlessly integrates with your existing browser.
It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize:
“:en”, “:de” or “:fr” to search in a given language
“!social_media” or “!news” to search just a given category
The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven’t explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it’s wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.
The one big thing
We are continuing our discussion of Talos’ 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.
Why do I care?
Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.
Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).
So now what?
These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.
Top security headlines of the week
OpenAI cuts safety tests in “reckless” AI push. According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this:
AI-hallucinated code dependencies become new supply chain risk. “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
Windows Recall seems to be back again. More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
The 25-year-old CVE program seemed to be at risk. MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.
Can’t get enough Talos?
Unmasking the new XorDDoS controller and infrastructure. Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.
Talos Takes: Year in Review Special (Pt. 2). Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-17 18:06:552025-04-17 18:06:55Care what you share
Making ANY.RUN’s products better for the benefit of businesses, organizations, and SOC teams is our top priority. To get maximum value out of our solutions, we provide them with API, a tool enabling users to integrate our services into their security infrastructure. And now, to make this process even smoother, we introduce a software development kit (SDK).
With it, it’s even easier to make ANY.RUN a part of your security system. Data provided by our solutions will help you establish a safer infrastructure and improve the defense strategy of your company.
Learn about ANY.RUN’s SDK features, advantages, and use cases below.
Benefiting the security team of your company
An SDK is a tool that helps increase the efficiency of your workflow through integration and automation. It simplifies day-to-day tasks for cybersecurity specialists at companies and organizations. This is especially relevant for small security teams who could benefit from automation.
As a result of making ANY.RUN’s products a part of your security infrastructure via an SDK, you can:
Simplify and speed up malware analysis and threat hunting for your security team.
Automate routine tasks to save resources for manual in-depth investigation.
Access data on real threats collected by 500,000 researchers and 15,000 companies worldwide.
Reduce the cost of alert triage, incident investigation, and post-attack response.
Mitigate financial and reputational risks by equipping your defense with advanced solutions for threat analysis and detection.
Our SDK simplifies integration of ANY.RUN’s products into your infrastructure. You can use it for enhanced flexibility, accelerated workflow, and automation of daily tasks.
Tailor the service to the needs of your business with our software development kit by making ANY.RUN’s solutions a part of your system, be that SIEM, SOAR, or XDR.
Accelerate workflows and increase detection rate in your SOC by integrating ANY.RUN’s products via SDK
Browse URLs and file hashes, as well as check IOCs, IOBs, IOAs and receive other data on threats with TI Lookup.
Establish the constant IOCs flow reception with TI Feeds.
We make sure that the software development kit always complies with the current API version and covers all of its functions, enabling you to always stay on top of things.
How to implement
ANY.RUN’s software development kit is based on Python, the most popular programming language for malware analysts. It includes documentation, libraries, and code samples for you to explore. For instructions on how to install and use it, see:
We welcome contributions from other developers. You can report bugs and suggest enhancements that would be beneficial for your company, and we’ll be happy to review them, resolve the issues, and make adjustments. For more info on how to contribute, see our guide.
Use cases of ANY.RUN’s SDK
Save resources on TI Feeds processing
ANY.RUN’s TI Feeds provide large amounts of data on IOCs. To process all of this data efficiently, while keeping RAM load low, you can use the SDK. This will help you set up automated download of feeds in chunks, rather than in one go.
import os
from anyrun.connectors import FeedsConnector
from anyrun.iterators import FeedsIterator
def main():
with FeedsConnector(api_key) as connector:
for feed in FeedsIterator.stix(connector, period='week', chunk_size=5):
print(feed)
if __name__ == '__main__':
api_key = os.getenv('ANY_RUN_FEEDS_API_KEY')
main()
Simplify the submission process in ANY.RUN’s Sandbox
Instead of manually submitting URLs and downloading analysis summaries in ANY.RUN’s Interactive Sandbox, configure the SDK to automate these processes.
YARA Search in TI Lookup allows you to scan our threat intelligence database to find files that match your descriptions. With the SDK, you can receive search results automatically using just one command:
import os
from pprint import pprint
from anyrun.connectors import YaraLookupConnector
def load_yara_rule() -> str:
with open('yara_lookup_rule_sample.txt', 'r') as file:
return file.read()
def main():
with YaraLookupConnector(api_key) as connector:
lookup_result = connector.get_yara(load_yara_rule(), stix=True)
pprint(lookup_result)
if __name__ == '__main__':
api_key = os.getenv('ANY_RUN_Lookup_API_KEY')
main()
Choose a connection method (for any service)
You can use the SDK to connect to any service synchronously or asynchronously. Both methods include the same parameters and functions. For example, in TI Lookup you can switch between them with these code samples:
Request a trial period for your SOC team and explore ANY.RUN’s services with new possibilities brought by the SDK.
ANY.RUN for Business
Discover all features of the Enterprise plan designed to simplify the work of companies and security teams.
See details
About ANY.RUN
ANY.RUN’s services are used by over 500,000 cybersecurity professionals worldwide, including SOC teams at over 15,000 companies. ANY.RUN’s Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, and Android systems, while the threat intelligence products TI Lookup and TI Feeds enable organizations to enrich their knowledge on active and emerging cyber attacks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-17 12:06:422025-04-17 12:06:42Seamlessly Integrate ANY.RUN’s Services into Your Infrastructure via SDK
Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025.
A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025.
The language settings of the muti-layer controller, XorDDoS builder and controller binding tool strongly suggest that the operators are Chinese-speaking individuals.
Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks.
Talos’ analysis exposes the network connection between central controller, sub-controller and XorDDoS malware in order to highlight the XorDDoS trojan network pattern. This may help victims identify when they are targeted by these trojans.
Linux XorDDoS trojan trend and victimology
The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into “zombie bots” that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals.
From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots. It employs a strategy of Secure Shell (SSH) brute-force attacks to gain remote access to target devices. Once it obtains valid SSH credentials, the attacker leverages root privileges to execute a script that downloads and installs XorDDoS on the compromised device.
Even though numerous security vendors have already provided solutions and detection methods to capture them, Talos continues to observe attempts to deliver XorDDoS malware.
Between November 2023 and February 2025, Talos observed that the XorDDoS trojan continued to have a global impact, with nearly 50 percent of its successfully compromised victims located in the United States. Additionally, we noted that the compromised systems attempted to target and attack several countries, including Spain, the United States, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, the United Kingdom, the Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, the United Arab Emirates and South Korea.
Figure 2. Percentage of XorDDoS successfully-compromised machines across all regions.
Talos also used our Cisco Secure Network/Cloud Analysis to observe actors using those compromised machines to launch DDoS attack and the attacks are globalized. Notably, we found that the United States accounted for over 70 percent of attempted attacks employing XorDDoS.
Figure 3. Percentage of XorDDoS attempted targets across all regions.
Infection chain
XorDDoS has long relied on SSH brute-force attacks to spread. It deploys a malicious shell script that attempts numerous root credential combinations across thousands of servers until it successfully accesses a target Linux device. Once inside the machine, XorDDoS implements persistence mechanisms to ensure it launches automatically at system startup, therefore evading detection and termination by security products. To maintain persistence, the malware installs an init script and a cron job script. These scripts are embedded within the malware and perform actions consistent with those outlined in previous reports.
Figure 4. Inint script and cron script embedded in trojan.
The latest version of XorDDoS malware continues to use the same decryption function and the XOR key “BB2FA36AAA9541F0” to decrypt its embedded configuration. Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server. Talos used CyberChef to successfully decrypt one of the examples.
Figure 5. Talos CyberChef decryption.
XorDDoS new sub-controller and central controller
Although the sub-controller for XorDDoS was exposed in 2015, attacks have persisted over the last decade. The panel from 2015 was for version 1.4, the oldest version, which we believe is no longer in use by threat actors. In 2024, Talos discovered a new “VIP” version of the XorDDoS sub-controller, which can control the “VIP version” of the XorDDoS trojan, the first instance of which we traced back to 2017. With the newest version of the XorDDoS sub-controller and trojan builder, Talos believes that this collection is a product suite developed for sale.
Figure 6 shows translated screenshots of the XorDDoS trojan sub-controller and builder. The builder also contains new feature descriptions, which strengthens Talos’ assessment that this is a product meant to be sold. The VIP version of the XorDDoS trojan builder includes new feature descriptions. When translated, the description in Figure 7 reads, “Stable Anti-Kick, 100% Packet Sending, Fixes for Over Ten Thousand Online Without Lag. Supports Domain Online, IP Online, with New Packet Sending Code and Wall-Penetration Optimization. Can Send 1024 Packets with Resource Utilization Optimization.”
Figure 6. VIP version sub-controller.Figure 7. Feature description in the VIP version of the XorDDoS trojan builder.
Talos observed a new version of the sub-controller, which we call the “central controller.” Specifically created for the XorDDoS trojan, the central controller enables threat actors to manage multiple XorDDoS controllers simultaneously. This updated central controller enhances cybercriminals’ ability to coordinate and execute attacks more efficiently, indicating an evolution in their tactics and capabilities.
Figure 8. Example view of central controller controlling each sub-controller.
The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller, allowing the central controller to fully remote control the sub-controllers.
Figure 9. Generator Setting
The controller binder will establish a connection with the central controller. When running the controller binder on the host, the actor can enter the controller’s process name, allowing them to inject into the process and take control. This straightforward strategy allows the actor to send the DDoS commands to multiple controllers simultaneously. There are two notable facts Talos observed from this central controller. First, when the actor opens the central controller, there is a feature description in its mission list column that, when translated, includes the following:
“Check the SYN packet length to make it a large packet, otherwise it will be a small packet.
A round-robin attack is a task performed by all online hosts.
Select the host and click the test mode, which means a single host sends a packet.
Multiple measurement modes cannot be selected, only one at a time!
The round-robin attack needs to be stopped manually.
Supports 1024 packages but requires a corresponding sub-controller.
The sub-controller of version 1.4 and 1.8 on the underground market cannot use the central controller to send 1024 packages.”
Second, the controller’s creator left their Tencent QQ instant message contact number and nickname on the central controller, while also mentioning other sub-controller versions available on the underground market. This further supports Talos’ assessment that these tools are for sale.
Figure 10. Central controller and controller binder.
Advanced XorDDoS traffic analysis
Talos’ detailed analysis of these new tools suggests cybercriminals’ continued investment in the development and deployment of the XorDDoS trojan, allowing for more sophisticated and widespread attacks. The entire control flow of these operations demonstrates the adaptability and resilience of these threat actors, emphasizing the ongoing challenge in combating this form of cybercrime. Talos completed a traffic analysis in our sandbox environment, first to analyze how the XorDDoS trojan is connected to the sub-controller, and then to understand how the central controller manages the sub-controller.
Figure 11. XorDDoS control flow diagram.
The connection between the sub-controller and DDoS trojan is the orange line in Figure 11. When the malware is successfully installed in the target system, it will attempt to send encrypted data, including “phone home,” which consists of the CRC Header, uname string release, uname string machine, magic string and hardcoded version string. Talos used CyberChef to provide a decryptor function for this data.
Figure 12. Example of decrypted phone home data.
We noticed that the latest VIP version’s “phone home” CRC header remains unchanged from what Unit 42 previously detailed in a blog post. Since the blog post has already covered the encryption of the XorDDoS trojan’s phone home data, we will focus here on the behavior of the controller’s responses and any modifications in the CRC header.
Once the XorDDoS trojan successfully establishes a connection, the CRC header changes to “5343f096000000000200000000000000000000000000000000000000”, as shown in Figure 13. This functions similarly to basic client-server authentication for establishing a connection. When the controller issues a command to the XorDDoS trojan, it uses the same CRC header to attach the encrypted command, sending it to the trojan. This process, illustrated in Figure 14, helps the XorDDoS trojan verify that the commands are authorized and safe to execute.
Figure 13. The CRC header changes after successfully establishing a connection.Figure 14. Network flow of sub-controller sending the command to XorDDoS trojan.
Next, Talos explored the connection between the central controller and the sub-controller, represented by the purple line in Figure 11. The central controller can create a controller binder to inject the sub-controller, thereby gaining full access to it. Once the controller binder successfully takes control of the sub-controller, it sends the sub-controller’s machine information back to the central controller as a “phone home” beacon. This phone home data uses plaintext to send information, which includes the message number, packet size, IP address, hostname and connection port.
Figure 15. Network flow of the phone home connection.
Talos used the central controller to establish a connection with the sub-controller to monitor network traffic. During this process, we observed that the MSG number in the packets increases with each command sent to either the client controller or back to the central controller. As shown in Figure 16, Talos used the central controller to issue commands to start a SYN DDoS attack, stop the attack, and target specific IPs or domains. For every command sent, the MSG number increments. Similarly, each received packet also sees an increase in its MSG number. However, it’s important to note that the MSG numbers for sent packets and received packets are not directly related to each other.
Figure 16. Network flow of central controller sending the command to sub-controller.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64669, 64668 and 64667.
ClamAV detections are also available for this threat: Unix.Dropper.Xorddos::in07.talos
Indicators of Compromise
IOCs for this threat can be found in our GitHub repository here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-17 10:06:422025-04-17 10:06:42Unmasking the new XorDDoS controller and infrastructure
In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let’s elaborate on their essence, difference, and use.
Distinction in a Nutshell
IOCs
IOBs
IOAs
Definition
Artifacts or observables that suggest a system has already been compromised
Patterns or activities that indicate an attack is in progress or imminent
Describes the adversary’s TTPs (Tactics, Techniques, and Procedures), often abstracted from specific tools or campaigns
Nature
Reactive
Proactive
Strategic
Type
Technical evidence left behind
Behavioral analysis
High-level behavioral models
Purpose
Help identify intrusions and data breaches
Detect and block attacks before they succeed
Understand and profile attackers across campaigns or tools
Use
Used in threat detection tools like SIEM, IDS/IPS, antivirus, and EDR. Help correlate logs and trace how an attack occurred. Often shared via threat intelligence feeds.
Applied in real-time detection by EDR/XDR platforms. Used in behavioral analytics and heuristics. Focus on what the attacker is trying to do, not just the tools used.
Used in threat modeling, proactive defense, and red teaming. Integrated into MITRE ATT&CK mapping, behavior-based threat hunting. Help anticipate novel attack chains and identify APTs.
Indicators of Compromise
IOCs are pieces of evidence that suggest that a system, network, or device has been compromised by a cyberattack or malicious activity. They are typically reactive, meaning they are identified after an attack has occurred.
The main purpose of IOCs is to help detect and confirm security incidents with known threats or malware. They serve as forensic evidence in incident investigations and are necessary for adequate incident response and mitigation.
More often than not IOCs are specific — tied to a particular malware or campaign.
Network-based: suspicious IP addresses, domains, URLs, or unusual traffic patterns (e.g., connections to a known command-and-control server).
System-based: registry key changes, unauthorized user accounts, or suspicious processes running.
Being reactive by their nature, IOCs are of immense help in threat prevention. When used smartly, they can be weaponized to block, disrupt, or preempt similar attacks in the future.
This function is provided by threat intelligence: SOC teams collect indicators associated with known malware and incidents (malicious IPs, domains, file hashes, or URLs) and blacklist them in their security systems to prevent future communication or execution associated with those IOCs.
For example, a phishing domain seen in a past attack is added to the block list, preventing any user from accessing it if reused. Potential IOCs can be checked with the help of services like ANY.RUN’s Threat Intelligence Lookup. It searches for information from malware samples added and analyzed in the Interactive Sandbox:
The IP is flagged as malicious, linked to known malware, and should be blocked
Another way of using IOCs for proactive protection is setting up decoys (honeypots or honeytokens) to monitor access to known indicators or infrastructure that mimics IOC traits.
Finally, IOCs reveal which vulnerabilities are being exploited, so teams can prioritize patching or tighten firewall rules accordingly.
Enrich alerts and expand threat context with TI Lookup Get 50 trial requests to collect your first intel
IOCs have their limitations, though. They may not help to detect brand new or advanced threats. It’s important to keep in mind that attackers can easily change IOCs (e.g., domains, hashes), so IOC-based prevention is only as effective as its freshness and context. Context also helps to reduce false positives in detection.
Context can also be provided by TI Lookup: it supports over 40 search parameters and wildcards which allows to combine indicators and parameters in complex search queries:
Combining several IOCs in one search request helps to enrich the indicators with context
Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic.
Switching to the Analyses tab in the search results, we see, that the combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.
On the other hand, this combination of mutexes was last spotted in malware samples about four months ago which allows us to consider this signal obsolete.
Security teams share IOCs via threat intelligence feeds: continuously updated data streams with indicators from fresh malware samples integrated with monitoring and detection systems. ANY.RUN provides Threat Intelligence Feeds in STIX and MISP formats.
Boost threat detection with ANY.RUN’s TI Feeds Get continuous stream of malicious IOCs from the latest attacks on 15,000+ companies
IOBs focus on patterns or behaviors that suggest malicious activity, rather than specific artifacts or static signatures. They describe how an attacker operates, often describing tactics, techniques, and procedures (TTPs). In other words, these indicators focus on what an attacker does rather than specific tools or files.
This enables them to be used for detecting zero-day attacks, unknown or evolving threats that may not have specific IOCs which makes IOBs useful in proactive threat hunting and monitoring. Suspicious behavior can signal an attack in progress, before significant damage occurs.
IOBs may refer to:
User Behavior: An account logs in from an unusual location or at an odd time.
System Behavior: A process attempts to access sensitive files repeatedly or executes unauthorized scripts.
Network Behavior: Encrypted traffic spikes to unknown external servers, resembling data exfiltration.
Thus, typical examples of IOBs are:
Use of living-off-the-land binaries (e.g., rundll32, certutil);
Obfuscation techniques;
Credential dumping after privilege escalation;
Repeated use of valid accounts for persistence.
IOBs also come with a few shortcomings. It requires advanced analytics, such as behavioral analysis or machine learning, to identify anomalies. Sophisticated monitoring tools (e.g., SIEM, UEBA) should be employed to work with this family of indicators. They can be resource-intensive to analyze and validate. And they may produce false positives if legitimate behaviors mimic malicious ones.
ANY.RUN’s Interactive Sandbox allows analysts to observe how malware or suspicious files behave in a controlled environment and detect anomalous behaviors that may indicate a potential threat. For example, in this analysis session we see remote code execution via mshta.exe triggered by a command entered manually by a user and mentioning a (misspelled) CAPTCHA:
Abuse of legitimate Windows component observed in a malware analysis session
What does this activity indicate? In their latest campaign, Storm-1865 distributed phishing emails impersonating Booking.com. The emails contained links leading to fake CAPTCHA pages designed to build trust and lure users into interaction. The threat actor leveraged the ClickFix technique, instructing victims to paste a malicious command into the Windows command prompt.
Enrich your threat knowledge with TI Lookup
Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security
Explore more
The campaign has been observed delivering several commodity malware families, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, DanaBot, and NetSupport RAT. With the following TI lookup query, we can search through recent public sandbox analyses and find samples with the same malicious activity for further research:
Malware with a typical behavioral pattern found via TI Lookup
Indicators of Attack
IOAs are proactive indicators that focus on the intent and actions of an adversary during an attack, emphasizing the “how” and “why” of malicious activity. They aim to detect attacks in real time, and to catch it in its early stages (e.g., during reconnaissance, exploitation, or lateral movement). This allows cybersecurity teams to prevent attacks by interrupting the kill chain.
Examples of IOAs:
Reconnaissance: Unusual port scanning or enumeration of network resources.
Exploitation: Attempts to exploit a known vulnerability (e.g., SQL injection or buffer overflow).
Persistence: Installation of backdoors or scheduled tasks to maintain access.
Lateral Movement: Abnormal internal network traffic, such as attempts to access multiple systems with stolen credentials.
C2 Communication: Process beaconing to rare external IP at intervals.
Credential Theft: LSASS memory access by a non-standard process.
Data Exfiltration: Sensitive files zipped and sent via Dropbox or OneDrive.
What typical indicators of attack might look like:
Word document spawns PowerShell;
Process injection detected;
A user logs in from two geographies within minutes;
Suspicious lateral movement.
Since IOAs are specific signs of an active or imminent attack, often tied to known TTPs or malicious artifacts, it is possible to research these indicators with the aid of ANY.RUN’s Threat Intelligence Lookup through the Interactive MITRE ATT&CK Matrix.
The Matrix lets you map TTPs to actual samples of malware and phishing threats and view their entire execution chain inside the Interactive Sandbox, as well as collect additional indicators.
Conclusion
The most valuable aspect of indicators in institutional cybersecurity is of course their potential to help prevent threats and incidents, stop attacks from succeeding, and thus avoiding financial loss, operational disruption, and reputation damage. Regularly collecting and using IOCs, IOAs, and IOBs, including with the services like ANY.RUN’s TI Lookup and TI Feeds, can help your SOC team fight off threats and keep your infrastructure safe.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-16 13:06:432025-04-16 13:06:43How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Eclipse vulnerabilities
Discovered by Kelly Patterson of Cisco Talos.
Eclipse ThreadX is an embedded development suite including an operating system that provides performance for resource-constrained devices.
TALOS-2024-2098 (CVE-2025-0726, CVE-2025-2260) A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1, TALOS-2024-2104 (CVE-2025-0727, CVE-2025-2259) and TALOS-2024-2105 (CVE-2025-0728, CVE-2025-2258). Specially crafted network request packets can lead to denial of service. An attacker can send malicious packets to trigger these vulnerabilities.
STMicroelectronics vulnerabilities
Discovered by Kelly Patterson of Cisco Talos.
STMicroelectronics is a European multinational semiconductor contract manufacturing and design company.
TALOS-2024-2096 (CVE-2024-45064) is a buffer overflow vulnerability in the FileX Internal RAM interface functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.
TALOS-2024-2097 (CVE-2024-50384-CVE-2024-50385) is a denial-of-service vulnerability in the NetX Component HTTP server functionality. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality. For TALOS-2024-2102 (CVE-2024-50594-CVE-2024-50595), a specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. For TALOS-2024-2103 (CVE-2024-50596-CVE-2024-50597), a specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
In late March, the popular CISO MindMap, a cheat sheet on infosec team priorities, was updated. However, the economic landscape began shifting just days after its release. Now that the likelihood of economic instability, recession, falling oil prices, and rising microchip costs has increased, many companies and their CISOs face a pressing issue: cost optimization. In light of these developments, we decided to examine the CISO MindMap from a different angle, and highlight new or crucial infosec projects that can contribute to budget savings without creating excessive organizational risks.
Optimization of tools
MindMap authors advice CISOs to “consolidate and rationalize infosec tools”. In an IDC study from 2024, something like half of all large organizations surveyed used more than 40 infosec tools, and a quarter – more than 60. This abundance typically leads to decreased productivity, employee fatigue from unsynchronized and uncoordinated alerts, and excessive expenditure.
The solution lies in either consolidating the tech stack under a single-vendor approach (one vendor for the security platform and all its components), or selecting the best tool in each category. The latter approach requires (i) strict compliance with open communication standards, and (ii) API integration capabilities. It’s better suited for technologically mature teams capable of allocating internal resources (primarily time) to properly and efficiently set up integrations according to the infosec department’s procedures.
For effective stack consolidation, there are specialized planning tools that can assess all infosec systems that have been implemented, identify gaps in coverage, and pinpoint areas of significant functional overlap. This analysis also reveals inefficiently used tools that can be safely eliminated. For some niche and infrequent tasks, open-source tools can bring about budget savings. However, for large systems like SIEM that see regular use, open-source solutions may not be cheaper than proprietary ones due to the extensive efforts required for implementation, fine-tuning and support.
Consolidation often goes hand-in-hand with automation, which is only achievable with a well-synchronized toolset. In the same above-mentioned IDC study, it was found that companies that consolidated their tools and adopted modern XDR and SOAR solutions achieved average cost savings of 16% and analyst time savings of 20%. Simultaneously, they saw an improvement in organizational security with Mean Time to Respond (MTTR) decreasing by 21% and incident resolution time by 19.5%.
Automation
While automation projects initially involve additional expenses, their implementation in infosec processes pays off in the long run by saving analyst time and mitigating the talent shortage. Automation is not necessarily based on neural networks and language models, but these trendy technologies are already making practical contributions in several infosec areas. Tangible results are primarily achievable through the following measures:
Application of infosec policies to accounts and resources
Verification of compliance of internal policies with regulatory ones and enforcement of these policies
Risk assessment and prioritization of infosec controls
Automated third-party risk management (TPRM)
Generative AI
Despite the economic challenges, many companies continue to prioritize the implementation of AI-powered tools, viewing these as essential for future competitiveness and economic efficiency. Some organizations have even issued management directives such as “Before you hire a new employee, prove that AI cannot do their job.”
From the infosec perspective, the widespread adoption of AI-powered technology has both advantages and disadvantages. On the one hand, the vast and poorly understood array of AI tools creates a significant additional workload on infosec teams. On the other, it provides an opportunity to launch and fund various infosec initiatives within the broader corporate AI implementation program. To effectively manage AI-related risks, a company needs to do the following:
Establish standards and regulations for the use of AI-powered solutions, while keeping in mind the rapidly evolving regulatory landscape in this area
Create a controlled list of approved AI tools for different departments and processes
Regularly review recommendations and verify that all AI-driven processes comply with infosec policies
Include AI tools in the asset inventory for vulnerability management and infosec assessments
Develop specialized training programs for both AI users and infosec personnel
Using open-source AI solutions instead of proprietary cloud systems can reduce operational costs and enhance data protection – especially when the solutions are deployed within the organization’s network or in a private cloud. However, the availability of suitable, high-quality open-source models depends on the specific use case.
Meaningful infosec metrics
This area doesn’t require substantial financial investment but it significantly simplifies the process of justifying infosec budgets to the board of directors. The composition of key metrics varies across industries and companies, but the following groups are worth considering:
Organizational readiness for attacks (MTTR, MTTD) and its trends
Progress in ongoing infosec projects, including automation and tool consolidation
Effectiveness of infosec measures and its trends: average time to remediate critical and other vulnerabilities, percentage of users successfully passing cybersecurity testing, and so on
Identity management
While implementing comprehensive IAM solutions can be expensive, companies can find a balance that provides significant risk reduction at a reasonable cost.
Many companies still lack basic infosec controls like multi-factor authentication. Even limited implementation of these controls significantly reduces the risk of compromise through credential theft. In addition to cost-effective solutions that utilize TOTP-based authenticator apps, 2025 has seen passkey-based solutions mature and become quite user-friendly on the major platforms (Microsoft, Google, Apple). This phishing-resistant, highly affordable authentication method is worth deploying at least for employees who have access to critical data and systems, and ideally, for everyone. Ultimately, the transition to passkeys can also improve efficiency for all employees, as password-free access saves time and reduces support costs for password-related issues.
Another aspect of IAM is centralized management of machine identities, API tokens, and other secrets. Due to a significant increase in attacks on cloud environments, investments in this area are likely unavoidable. However, many companies can strategically plan the implementation of appropriate tools by deploying open-source solutions in their infrastructure, utilizing secret managers included in their cloud provider subscriptions, and so on.
SOC cost management
Security operations centers (SOCs) represent a major expense in any infosec budget, with significant costs associated with analyst effort, data storage, and processing. Effective separation into “hot” and “cold” log storage can significantly reduce data storage costs. For large companies, it’s worth considering hierarchical or geographically distributed processing infrastructure. In some cases, such as with our SIEM – the Kaspersky Unified Monitoring and Analysis Platform – SIEM hardware savings can reach 50%.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-15 20:06:512025-04-15 20:06:51CISO priorities in 2025 | Kaspersky official blog
Thank you for subscribing and make sure to check your inbox. Please note that the email may take a few minutes to arrive.
What’s Inside the Report
Get your free copy of the report to save time on research
ANY.RUN’s Malware Trends Report provides a comprehensive analysis of the current cyber threat landscape. The report includes insights from malware and phishing samples analyzed by 15,000 companies and 500,000 analysts inside the Interactive Sandbox in Q1, 2025.
It enables organizations to save hours on research by offering actionable intelligence to enhance security resilience. Key threats covered in the report:
Learn all about the most recent malware trends to keep track of growing threats and stay alert to protect your organization.
About ANY.RUN
ANY.RUN’s services are used by SOC teams and companies across different industries, including finance, manufacturing, healthcare, and technology.
The Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, & Android systems. It provides capabilities for hands-on and in-depth investigations of complex malware and phishing scenarios.
Threat Intelligence Lookup enables organizations to enrich their knowledge on active cyber attacks, while TI Feeds allow businesses to expand threat coverage and detection.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-15 14:08:262025-04-15 14:08:26Malware Trends Report, Q1 2025: Get Your Copy
Every piece of malware leaves traces behind. Sometimes it’s a string buried deep in the code. Other times it’s a mutex, a registry key, or a network pattern. The key is knowing what to look for.
That’s exactly what malware signatures are for. They describe these recurring elements, unique strings, behaviors, or structural patterns, that can be used to reliably identify known threats.
Security teams use these signatures to detect and flag malicious activity; sometimes before the malware even has a chance to do damage.
In this article, we’ll break down what malware signatures are, the different types you’ll encounter, and how tools like YARA and Suricata help turn small clues into confident decisions.
What Is a Malware Signature?
A malware signature is a unique indicator tied to a specific piece of malicious software. It could be a text string, a file hash, a mutex, or even a sequence of behaviors. Security tools use these signatures to recognize and flag known threats, kind of like matching fingerprints at a crime scene.
The goal is simple: spot malware based on something that consistently shows up across samples from the same family or campaign. Once identified, these signatures become part of detection rules used by antivirus engines, sandboxes, and intrusion detection systems.
How Are Malware Signatures Created?
Malware signatures are usually crafted by security researchers and automated detection systems after analyzing how a threat behaves or what it contains.
When a new malware sample is discovered, analysts break it down, looking at code, memory behavior, registry changes, network traffic, and other markers. If they notice something unique or consistently present across samples, like a specific mutex name, string, or packet structure, that becomes a potential signature.
Depending on the tool or platform, these signatures might take different forms;
Static signatures are based on strings, byte sequences, or file hashes.
Behavioral signatures are based on what the malware does, like creating certain processes or modifying the registry.
Custom rules, like YARA or Suricata, allow analysts to define more complex patterns based on real-world observations.
Main Types of Malware Signatures
Not all malware looks or behaves the same, and the same goes for how we detect it. Over time, security teams have developed different types of signatures to match different kinds of threats.
Here are the most common ones:
Static Signatures
These are the most traditional and widely used. Static signatures match fixed elements inside a file, like strings, byte sequences, or hashes, without needing to run the malware.
Key traits:
Match based on file content (strings, hex patterns, hashes)
Fast and efficient for known threats
Can be bypassed through obfuscation or slight code changes
Commonly used in antivirus software
Heuristic Signatures
Heuristic signatures look beyond exact matches. They evaluate the structure or logic of a file to identify suspicious patterns that may indicate malware, even if the sample is new or modified.
Key traits:
Detect threats based on suspicious code structures
Useful for catching variants or zero-day malware
May generate false positives if too broad
Often found in email filters, AVs, and static analyzers
Behavioral Signatures
Rather than scanning a file, these signatures monitor what it does when executed. If it behaves like malware, e.g., injecting code or modifying the registry, it gets flagged.
Key traits:
Trigger on real-time actions and behaviors
Great for catching fileless or evasive malware
Requires sandboxing or endpoint monitoring
Common in EDRs, sandboxes, and dynamic analysis tools
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
How Detection Tools Use Signatures: YARA and Suricata
Once malware signatures are defined, they need to be used effectively, and that’s where tools like YARA and Suricata come in. Each serves a unique purpose: one focuses on files and memory, the other on network traffic. Together, they cover a wide range of threats and detection angles.
YARA Signatures: Matching Patterns in Files and Processes
YARA is a rule-based detection tool that helps analysts identify malware by describing textual or binary patterns. It’s especially powerful for hunting threats across memory dumps, unpacked payloads, or large malware datasets.
YARA helps security teams quickly identify threats by matching known patterns in files, processes, or memory. It automates what would otherwise be a slow, manual process, making detection faster, more accurate, and more scalable.
Its real strength lies in customization. Teams can write tailored rules to catch specific malware strains or adapt to new threats as they emerge. When combined with ANY.RUN’s interactive sandbox, YARA also reveals how they behave, giving organizations the insight they need to act fast and prevent damage.
Key benefits of YARA in a security workflow:
Speeds up detection and reduces manual effort
Detects both known and emerging malware families
Cuts down false positives with precise rules
Boosts efficiency across security teams
Helps contain threats early and minimize risk
Real-World Example: Matching the Mutex Pattern
YARA rule example pulled from ANY.RUN sandbox analysis
Let’s look at an example of YARA rule used in ANY.RUN’s sandbox:
$s6 = “Local\SM0:%d:%d:%hs” wide
This string is part of a rule designed to detect mutexes created by certain malware families.
This mutex exactly matches the YARA signature pattern. The use of placeholders like %d and %hs allows the rule to flexibly detect variations of this format across different samples.
%d matches any sequence of digits (0–9)
%hs matches a short string or hexadecimal value, typically 2 bytes
This is a great example of how YARA rules aren’t just powerful, they’re also adaptable to the real-world quirks of evolving malware behavior.
Submit suspicious files and URLs to ANY.RUN for proactive analysis of threats targeting your company
Suricata Signatures: Detecting Malicious Behavior in Network Traffic
While YARA focuses on identifying malware based on what it is, Suricata helps detect malware based on what it does across the network. It’s an advanced intrusion detection system (IDS) that monitors real-time traffic and flags suspicious behavior using both signature- and anomaly-based techniques.
ANY.RUN integrates Suricata to enhance threat visibility at the network level, allowing analysts to catch threats as they try to communicate with command-and-control servers, exfiltrate data, or spread laterally. Suricata signatures give security teams immediate context; what’s happening, where, and why it matters.
Click on the Threats tab inside ANY.RUN sandbox to view all threats detected by Suricata rules
Key benefits of Suricata in a security workflow:
Detects malicious traffic and C2 communication in real time
Complements file-based detection with network-layer visibility
Helps attribute threats to specific malware families
Speeds up incident response with actionable alerts
Empowers teams with visibility into protocol activity across multiple layers
Suricata Rule Example from ANY.RUN Sandbox Analysis
In ANY.RUN, Suricata rules are applied automatically during sandbox analysis. Let’s take a look at a real-world detection involving Gh0st Remote Access Trojan (RAT).
Suricata rule triggered by Gh0st RAT inside ANY.RUN
After execution, the sample initiates suspicious encrypted traffic. Suricata instantly detects it and flags the connection as Gh0st RAT activity.
Gh0st RAT detected by Suricata
How it works:
Suricata inspects packets across protocols (HTTP, TCP, UDP, etc.)
It matches patterns defined in the ET (Emerging Threats) rule sets
Once a match is found, it provides detailed metadata: source/destination IPs, ports, signature ID, and threat name
Clicking on a threat from the list reveals its details
By switching to the Suricata rule tab, you’ll be able to inspect it more thoroughly.
Suricata signature displayed inside the ANY.RUN sandbox
Making the Most of Malware Signatures in ANY.RUN
Malware signatures can do a lot on their own but when they’re used in the right environment, they become even more useful.
Inside ANY.RUN’s sandbox, YARA and Suricata work together to give you the full picture. You can see what a file is doing locally, spot mutexes, registry changes, and other signs of malicious behavior, then switch to the network layer to catch things like encrypted C2 traffic or data exfiltration. Both angles are covered, without having to jump between tools.
Instead of switching between tools, analysts get everything in one place; interactive, real-time, and backed by constantly updated signature sets. This gives less time digging and more time acting.
If your goal is to reduce investigation time, improve detection accuracy, and truly understand how malware behaves, ANY.RUN puts those capabilities right at your fingertips.
About ANY.RUN
ANY.RUN is used by over 500,000 cybersecurity professionals and 15,000+ companies across finance, manufacturing, healthcare, and other industries. Its Interactive Sandbox offers fast threat analysis for Windows, Linux, and Android, aiding malware and phishing investigations. Threat Intelligence Lookup and TI Feeds enhance cyber attack knowledge and detection.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-15 11:06:422025-04-15 11:06:42Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats
