When malware infiltrates a system, it doesn’t always make noise. In fact, some of the most dangerous threats operate quietly embedding themselves deep within the system and ensuring they come back even after a reboot. One of the most common ways they achieve this is by abusing the Windows Registry. 

In this article, we’ll walk through how registry abuse works, the signs to watch out for, and how security analysts can catch it using interactive sandboxes, such as ANY.RUN. 

What Is Registry Abuse in Malware? 

The Windows Registry is an important part of the operating system. It stores configuration settings that determine how Windows behaves, how software runs, and even how users interact with the system. From startup routines to driver settings and user preferences, the registry touches almost every part of the OS. 

As it’s central, the registry is also a target for malware authors. By modifying registry keys and values, malware can silently manipulate system behavior to: 

• Stay persistent by adding itself to autorun keys, it ensures execution every time the system boots. 

• Hide from users disabling Task Manager, hiding file extensions, or suppressing warnings to avoid detection. 

• Weaken security turning off Windows Defender or blocking updates to bypass protection. 

• Control user behavior redirecting browser traffic, setting fake proxies, or hijacking default apps. 

The Fastest Way to Spot Registry Abuse inside ANY.RUN Sandbox 

Traditional security tools often miss subtle but critical signs of registry abuse, especially when malware hides behind scripts or legitimate-looking processes.  

By running suspicious files or links inside ANY.RUN’s interactive sandbox, analysts can observe real-time registry changes as they happen, without waiting for static scans to catch up. 

Why It’s So Effective: 

• Instant visibility into registry modifications, autorun key changes, and process behaviors 

• Behavior-based detection, not just signatures; perfect for catching new or obfuscated threats 

• Clear labeling and process tree that highlight when a script or binary tampers with the registry 

• Integrated threat intelligence tags (e.g., FormBook) to identify malware families quickly 

• Interactive control, so you can simulate real user actions that trigger registry abuse (like opening a file or clicking a button) 

Real-World Examples of Registry Abuse in Malware 

Now, let’s look at how malware abuses the registry in practice and how ANY.RUN makes it easy to detect. 

1. Persistence via Autorun Key Modification 

This sample shows how the malware (BootstrapperNew.exe) abuses the registry to ensure it launches automatically every time the system boots; a classic persistence mechanism. 

View analysis session 

As shown in the analysis, the malware modifies the following registry key: 

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 

It adds a new value: 

• Name: BootstrapperNew 

• Value: C:UsersadminAppDataRoamingWindowsBootstrapperNew.exe 

• Operation: Write 

• Type: REG_NONE 

You can check all these details by checking the “BootstrapperNew.exe” process from the right part of the screen. 

Click on the tactic to get all the details: 

This modification triggers Windows to execute the malicious file at every user login, giving the attacker a reliable foothold on the system. 

ANY.RUN also flags this behavior with the MITRE ATT&CK sub-technique T1547.001 (Registry Run Keys / Startup Folder), clearly highlighting the persistence mechanism used. The visual process tree further confirms the execution flow, registry operation, and background network activity. 

With static detection tools, this behavior might go unnoticed. But in ANY.RUN’s sandbox, the threat is immediately identified, tagged, and visually traceable in real time, from registry edit to scheduled task creation. 

2. FormBook Stealer Using Registry for Stealth 

In this example, the malware identified as FormBook manipulates the Windows Registry to aid in stealth and persistence. 

View analysis session 

Right after execution, FormBook writes a new registry entry under: 

• Key: HKEY_CURRENT_USERSOFTWARESoftina 

• Name: MMM-Vkusnaa 

• Value: 19.06.2025 

Custom registry values like this aren’t random. They’re typically placed in obscure subkeys (SOFTWARESoftina in this case) to avoid detection and logging by standard monitoring tools,  but in ANY.RUN’s sandbox, it’s instantly visible and tied to MITRE technique T1112: Modify Registry. 

3. System Profiling Through Registry Access 

Some malware doesn’t act immediately. Instead, it quietly profiles the environment to decide how (or whether) to execute. That’s exactly what we see in this sample, where the malware queries the registry to gather detailed system information. 

View analysis session 

One of the first actions taken is a read operation targeting: 

• Key: HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor 

• Name: ProcessorNameString 

This query fetches CPU information, such as model name and vendor. While this might seem benign, it plays a crucial role in anti-analysis and evasion tactics. 

Why malware reads CPU info: 

• Environment validation: Malware may use CPU data to check if it’s running on a real machine or a virtual one (e.g., commonly used by sandboxes or researchers). 

• Tailored payloads: Some threats adapt their behavior based on system specs, avoiding execution if they detect low-end CPUs or virtual environments. 

• Fingerprinting the target: CPU info is often collected alongside other system data to create a unique victim profile. 

But this is just the beginning. According to the MITRE ATT&CK technique T1012: Query Registry, this sample retrieves a wide range of values: 

• Proxy configuration: Determines whether the system uses a proxy and may hijack it 

• Machine GUID: A unique identifier, useful for tracking infected hosts 

• Installed software (50 reads): Likely for reconnaissance or to check for security tools 

• Internet Explorer security settings: May suggest preparation for exploit delivery via browser 

• System language & locale: Used to avoid infecting machines in certain countries 

• Computer name & Windows product ID: Adds more detail to the fingerprint 

• Software policy settings: Used to detect restrictions or protections enabled by admins 

This shows how malware can treat the registry as a rich source of system intelligence. Each value queried helps build a clearer picture of the host environment, guiding the next malicious action. 

4. Suspicious Registry Modification via REG.EXE 

This sample involves a process (_virlock.exe) that uses reg.exe, a legitimate Windows utility, to modify the registry. This kind of activity isn’t inherently malicious, but in the context of malware execution, it often signals stealthy post-infection behavior. 

View analysis session 

Shortly after execution, the malware launches a command: reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 1 

This command modifies the registry to hide file extensions for known file types, a well-documented trick used by malware to disguise malicious executables (e.g., invoice.pdf.exe appears as invoice.pdf). 

Why it’s suspicious: 

• This change is frequently used in social engineering attacks, where victims are tricked into running malware that looks like a harmless document. 

• The behavior is executed via reg.exe, which is a living-off-the-land binary (LOLBIN); a legitimate tool abused by attackers to avoid detection. 

• ANY.RUN flags this activity under T1112: Modify Registry, and classifies it as a Warning / Unusual Activity. 

This case is a good reminder that not all registry abuse is about persistence. Some changes are purely meant to deceive the user, reduce visibility, or mask malicious actions. 

With ANY.RUN’s behavioral analysis, this tactic becomes immediately visible, showing which registry key was changed, how, when, and by what process, including full command-line context. 

5. Script-Based Registry Modification 

In this sample, we see a Windows Script Host process (wscript.exe) modifying the registry, not through a typical executable, but via script-based interaction. This kind of behavior is harder to detect, especially if you’re relying on traditional static analysis. 

View analysis session 

Thanks to ANY.RUN’s Script Tracer, we can observe the exact call and parameters used: 

• Key: HKCUSoftwareOJXVOPIitLTnYNgdonnsegment2   

• Value: (Hex-encoded string payload) 

• Process: wscript.exe   

• Operation: RegWrite via WshShell3 

This script creates a new key and writes what appears to be an obfuscated or encoded payload into the registry; a technique commonly used to: 

• Store secondary payloads or shellcode 

• Evade file-based detection mechanisms 

• Delay execution until a later stage (fileless persistence) 

The registry key name (OJXVOPIitLTnYNg) is randomly generated and meaningless, a common trait of obfuscated malware activity. 

We can see how the script writes a long block of hexadecimal content, which may later be decoded and executed, without ever dropping a traditional file on disk. 

These modifications fall under MITRE ATT&CK technique T1112: Modify Registry, and ANY.RUN labels this behavior as Dangerous (13 instances). 

Without behavioral analysis, this kind of registry manipulation would be nearly invisible, but with Script Tracer, security analysts can follow every step the script takes, down to the exact method calls and values. 

Spotting Registry Abuse is Easy with ANY.RUN 

Registry modifications are a common and powerful tactic used by malware to stay hidden, persist through reboots, and weaken your defenses. But with the right tools, these threats become much easier to spot, investigate, and respond to. 

ANY.RUN’s interactive sandbox doesn’t just show you what malware is doing, it visually breaks down every behavior, from registry edits to process injection and data exfiltration, in real time. 

• Faster threat detection 
  Catch malicious registry changes and system tampering before damage is done; no need to wait for traditional tools to catch up. 

• Improved incident response 
  With clear visual evidence and behavior chains, your team can respond to threats with greater accuracy and speed. 

• Reduced investigation time 
  Analysts can immediately see what’s been changed, what triggered the behavior, and which malware family is involved. 

• Stronger defenses across the board 
  By identifying how threats abuse the registry, you can harden your endpoints, update rules, and block similar attacks in the future. 

• Better collaboration and reporting 
  Export detailed analysis reports, share IOCs with teams, and make smarter security decisions faster. 

See how ANY.RUN’s interactive sandbox reveals the behavior behind modern threats in real time, and with full context. 

Access all capabilities of ANY.RUN’s Interactive Sandbox with a 14-day trial 

The post How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

You’ve probably already seen the headlines “The biggest leak in human history”. The whole world is in uproar after Cybernews journalists found the logins and passwords to 16 billion accounts in the public domain — two for each inhabitant of the planet! What is this leak, and what do you need to do right now?

What’s the leak, and are my credentials there?

The original study says that the Cybernews team has been working on the topic since the beginning of the year, and in six months they’ve managed to collect 30 unsecured datasets that add up to 16 billion exposed login credentials. The largest chunk of data — 3.5 billion records — is related to the world’s Portuguese-speaking population; another 455 million records are related to Russia, and 60 million are “most likely” related to Telegram.

The database is built on the following principle: URL, followed by login and password. That’s it, nothing else. At the same time, it’s said that the data of users of all the giant services was leaked: Apple, Google, Facebook, Telegram, GitHub, etc. Surprisingly, it was passwords and not hashes that ended up in the hands of the journalists. In our study How hackers can crack your password in an hour, we detailed exactly how companies store passwords (spoiler: almost always in closed form using hashing algorithms).

The story pays special attention to the freshness of the data: journalists claim that the 16 billion doesn’t include the biggest leaks, which we wrote about on the Kaspersky Daily blog. The important question remains behind the scenes: “Where did the 16 billion freshly leaked passwords come from, and why has no one seen them except Cybernews?”. Unfortunately, the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.

According to Cybernews, the accessing the entire database was possible through the use of stealers. This seems reasonable, since this is a threat that’s gaining momentum. According to our data, the number of detected password-theft attacks worldwide increased by 21% from 2023 to 2024. Attackers are targeting both private and corporate users.

What you need to do right now

First, let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing.

The first and best recommendation is to change your passwords. There are many options for creating a new password that’s difficult for hackers to crack but easy to remember. We covered this in detail in our post Creating an unforgettable password – have a read and choose any method you prefer.

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard.

For example, if you’re a fan of the Harry Potter saga, you may try to use the Wingardium Leviosa charm for a good cause. Let’s try transforming this levitation charm according to the rule above while peppering it generously with special characters: Wi4ga/di0mL&vi@sa

Easy, right?

Store your passwords securely. The best solution is to use a special password manager. It will generate, securely store, and automatically fill in complex, hack-proof passwords on all your devices for you. You’ll only need to create and remember one main password, which will become a secure key to all other passwords, bank details, photos, and everything else that can be stored in Kaspersky Password Manager.

Set up two-factor authentication. Almost all popular services support 2FA in one form or another, and the presence of a second factor makes it much more difficult, if not impossible, to hack your account. Kaspersky Password Manager makes it easy to store and sync 2FA tokens, as well as generate one-time codes on either your smartphone or computer.

Remove saved passwords from browsers. Browsers are most often the culprit behind data breaches. Doubt it? Read our arguments in the article How to store passwords securely – there you’ll clearly see how hackers can swipe all the saved passwords from your browser in just a few seconds.

Protect your messenger accounts. For Telegram and WhatsApp we have a list of specific steps to take right now, before your account is hijacked.

Use passkeys wherever possible. This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others. Haven’t heard of this technology yet? Read the detailed description on our blog and follow the updates in our Telegram channel – next week we’ll tell you everything you wanted to know about passkeys: what kind of technology it is, how secure it is, who supports it, what are its advantages and disadvantages. And most importantly – we’ll give detailed step-by-step instructions on how to switch from insecure passwords to secure passkeys. And yes, you can also store, manage and sync passkeys using Kaspersky Password Manager.

What else do you need to know about passwords to avoid being hacked:

• How to create strong passwords and where to store them
• How to create an unforgettable password
• How hackers can crack your password in an hour
• Passwords 101: don’t enter your passwords just anywhere they’re asked for
• Messengers 101: safety and privacy advice

Kaspersky official blog – ​Read More

Threat analysis is a complex task that demands full attention, especially during active incidents, when every second counts. ANY.RUN’s Interactive Sandbox is designed to ease that pressure with an intuitive interface and fast threat detection.  

Our new feature, Detonation Actions, takes this further by highlighting detonation steps during analysis. When a specific action is needed to trigger the sample, like launching a file or clicking a link, it appears as a suggestion, so you know exactly what to do. 

Detonation Actions work in both manual mode and with Automated Interactivity. Whether you’re investigating manually or running automated sessions, this guided mode reduces the time it takes to respond to threats and helps you catch the full scope of malicious behavior with minimal effort. 

What Are Detonation Actions? 

Detonation Actions are built-in hints in ANY.RUN’s Interactive Sandbox that guide users step-by-step through the threat analysis process. They are available in every sandbox session, for all users, and help make both manual and automated investigations clearer and more efficient. 

See example 

Here’s how it works depending on your plan: 

• Free Plan: You can see the suggested actions and follow them manually during your session. 

• Paid Plans: Track and manage each action performed by Automated Interactivity, including via API, for a fully automated, hands-free analysis with full transparency and control. 

One Button to Start the Guided Mode 

Before launching your analysis, you’ll now see a new “Auto” button during the VM setup phase. Clicking this button starts your session with Automated Interactivity enabled, which in turn activates the guided mode, powered by Detonation Actions. 

For your convenience, you can also enable the same feature manually by toggling “Automated Interactivity (ML)” in the “Additional settings” section above. 

Once the session begins, you’ll notice Detonation Actions appear on the right side of the screen, next to the process tree. These hints show you exactly what steps have been or should be taken to trigger malicious behavior.  

This gives you a clear picture of what was done, what triggered the threat, and how it unfolded, helping you detect malicious activity faster and respond more confidently. 

In the manual mode, you can manually approve actions (by clicking the “Approve” button) or reject them (by clicking the “X” icon) for each suggested step. 

Automated Interactivity handles the actions for you; no manual approval needed. 

Thanks to Detonation Actions, you get a guided analysis flow that improves detection and drastically cuts down your time to respond. 

How Detonation Actions Help Analysts 

Automated Interactivity 

• Boosts detection rate by ensuring no critical actions are missed during analysis thanks to predefined, expert-crafted hints. 

• Visualizes critical detonation steps, showing which actions were performed or recommended during the analysis. 

• Frees up analyst time by automating routine tasks, so they can focus on more complex investigations while maintaining high detection quality. 

Manual Analysis 

• Helps uncover hidden threats by suggesting actions tailored to detonate specific malware types. 

• Simplifies investigations with interactive hints like “Running this executable” or “Following this link.” 

• Streamlines analysis of specific samples, for instance, by opening URLs in QR codes directly inside the analysis sessions. 

• Improves accessibility by making manual analysis more intuitive for SOC analysts at any skill level. 

• Speeds up decision-making through a clearer workflow and real-time actionable guidance. 

See It in Action: Detonation Actions + Automated Interactivity in a Real Sample 

Let’s walk through how Detonation Actions work in a real scenario using an .exe file and Automated Interactivity. 

View analysis session 

To start, we upload the .exe file and simply click the “Auto” button during the VM setup phase. This launches the sandbox session immediately with Automated Interactivity and Detonation Actions. 

As the session begins, we can see Detonation Actions popping up quickly in the right corner of the screen. These actions, such as “Launching a file from Task Scheduler” or “Extracting a file from an archive”, are automatically executed, moving the analysis forward without any manual intervention. 

At the same time, the Processes section started populating with detailed insights, showing each spawned process along with associated tactics, techniques, and indicators. 

This combination, automated execution + guided visibility, gives analysts a powerful advantage: a complete behavioral picture of the malware, without delays or missed steps. It’s fast, structured, and built for clarity. 

How SOCs and Businesses Benefit from It 

The introduction of Detonation Actions brings clear, measurable value to security teams and businesses by improving both the speed and quality of threat analysis. 

• Simplifies and accelerates threat analysis 
  Makes threat analysis easier and faster for SOC teams at any level, saving time, reducing manual effort, and boosting overall productivity. 

• Improves data handover between SOC Tiers 
  Enhances the quality of data transfer from Tier 1 to Tier 2 analysts through detailed, action-based reports, ensuring critical insights are passed along clearly and efficiently. 

• Enables faster incident response 
  Streamlines triage by automating key steps in the response process, reducing time to detect and respond to threats, and minimizing potential impact. 

• Boosts employee training and onboarding 
  Helps junior analysts learn faster thanks to clear, guided hints, shortening the learning curve and allowing them to contribute to investigations sooner. 

• Supports smarter decision-making 
  Empowers team members with more context and clearer behavioral evidence, helping them make faster, more confident decisions during investigations. 

• Integrates easily into automation workflows 
  Works seamlessly with automated triage and incident response setups, maintaining high detection rates while reducing manual overhead. 

Ready to Try It Yourself?

Detonation Actions are built to make your job easier, whether you’re triaging a live threat or onboarding a new team member. You get expert guidance, faster detection, and a clearer view of what malware is really doing. 

Start your next investigation with ANY.RUN’s guided mode and see how much smoother analysis can be. 

Launch your ANY.RUN sandbox session now 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Request trial of ANY.RUN’s services to test them in your organization →  

The post Simplify Threat Analysis and Boost Detection Rate with Detonation Actions  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Editor’s note: The current article is authored by Clandestine, threat researcher and threat hunter. You can find Clandestine on X.

Threat actors today are continuously developing sophisticated techniques to evade traditional detection methods. ANY.RUN’s Threat Intelligence Lookup offers advanced capabilities for threat data gathering and analysis. As a specialized search engine, it allows security analysts to query various indicators of compromise (IOCs), behaviors (IOBs), and attacks (IOAs), providing valuable insights into real-world malware activity observed in sandboxed environments.  

We shall review several advanced threat hunting techniques using ANY.RUN’s TI Lookup to provide cybersecurity researchers and threat intelligence analysts of SOC and MSSP teams with effective strategies to identify and analyze various types of threats.

Threat Intelligence Lookup Key Capabilities 

Threat Intelligence Lookup provides analysts with access to a vast malware database topped up by over 500,000 users of the Interactive Sandbox, including 15,000 corporate SOC teams. A single search request can deliver hundreds of relevant analysis sessions, malware samples, or indicators for further research and refining the results with more specific queries. 

Besides the ability to instantly get a verdict and context on a potential indicator of compromise, TI Lookup offers a number of functions that enable effective threat hunting and analysis: 

• IOC Lookups: Detailed searches of various indicators of compromise, including IP addresses, file hashes, URLs, and domain names.  

• Behavioral Lookups: Beyond traditional IOCs, the service enables searches based on behavioral indicators, such as registry modifications, process activities, network communications, and mutex creations. It is particularly effective for identifying unknown or emerging threats that may not have established IOCs. 

• MITRE Techniques Detection: The incorporation of the MITRE ATT&CK framework allows analysts to search for specific tactics, techniques, and procedures (TTPs) used by threat actors. This capability facilitates a more structured and comprehensive approach to threat hunting. 

• File/Event Correlation: The ability to correlate files and events helps analysts identify relationships between different components of an attack and understand the broader context of malicious activities. 

• YARA-based Threat Hunting: This capability allows for highly specific searches based on file characteristics and patterns. 

• Wildcards and Logical Operators: The search supports various wildcards and logical operators for the construction of complex and precise queries. 

The sophisticated query syntax of Threat Intelligence Lookup supports over 40 parameters, allowing for highly specific and contextualized searches. The basic structure of a query typically includes a parameter, a colon, and a value, often enclosed in quotation marks (e.g., submissionCountry:”us” ). 

Logical operators play a crucial role in constructing effective queries:  

• The AND operator requires both conditions to be true. 

• The OR operator requires at least one condition to be. 

• The NOT operator excludes results that match a specific condition.  

• Parentheses can be used to group conditions and establish precedence. 

Wildcards and special characters enhance the flexibility of queries:  

• The asterisk (*) represents any number of characters. 

• The question mark (?) represents a single character. 

• The caret (^) matches the beginning of a string. 

• The dollar sign ($) matches the end of a string. 

The search parameter set covers various aspects of threat analysis, including file properties (e.g., fileExtension, filePath), process activities (e.g., commandLine, imagePath), network communications (e.g., destinationIp, URL), registry operations (e.g., registryKey, registryValue), and threat classifications (e.g., threatName, threatLevel). 

Key Tasks Solved by Threat Intelligence Lookup 

Threat Intelligence Lookup is used by security teams worldwide to detect, prioritize, and contain threats faster. With TI Lookup, your SOC can: 

• Speed Up Incident Response: Flexible queries across 40+ IOCs, IOAs, and IOBs with 2-second response times and exclusive indicators enable SOC teams to quickly investigate and mitigate incidents, slashing Mean Time to Respond (MTTR) and minimizing damage. 

• Enhance Alert Triage with Contextual Insights: An extensive database of indicators on the latest attacks provides analysts with quick insights into any artifact, letting them enrich alerts, pin them to threats, and prioritize critical incidents.  

• Accelerate Threat Detection and Containment: Query Updates subscriptions and proactive searches using network artifacts help uncover hidden threats, allowing SOC teams to detect, escalate, and mitigate attacks early, preventing spread and protecting business operations. 

Now let’s see how this architecture works on a number of hands-on use cases of peculiar threat hunting tasks.  

1. Country-based Threat Detection 

Geographic analysis of threats provides valuable insights into the origin and distribution of malicious activities. ANY.RUN’s TI Lookup enables country-based threat detection through the submissionCountry parameter, which can be combined with other parameters to create highly specific queries. Many organizations that employ TI Lookup in their SOC, utilize this feature. 

Geographic threat analysis typically involves identifying submissions from specific countries and filtering them based on threat levels, threat names, or behavioral indicators. This approach helps security analysts understand regional threat landscapes, identify country-specific attack campaigns, and establish geopolitical context for observed threats. 

Several example queries demonstrate the application of country-based threat detection.  

The query below targets phishing attacks originating from Brazil. By combining the submissionCountry parameter with the threatName parameter, it focuses on a specific type of threat within a geographic context. 

submissionCountry:”br” AND threatName:”phishing” 

This approach helps identify regional trends in phishing campaigns, which may target local institutions or use language-specific social engineering techniques. 

The next identifies malicious submissions from India that involve PowerShell commands. It combines geographic filtering with a behavioral indicator and threat classification, providing a more comprehensive view of specific attack methodologies within a regional context. 

submissionCountry:”in” AND commandLine:”powershell” AND threatLevel:”malicious” 

This approach is particularly valuable for identifying sophisticated attacks that leverage legitimate system tools like PowerShell. 

Country-based threat detection can be further enhanced by analyzing temporal patterns, comparing threat distributions across different regions, and correlating geographic data with other threat indicators. This multidimensional approach provides a more comprehensive understanding of the global threat landscape and helps security teams prioritize their defensive efforts based on regional risk profiles. 

2. MITRE Technique-Focused Queries 

TI Lookup incorporates this framework through the MITRE parameter, enabling highly specific searches based on known attack techniques. 

Command and Script Execution (T1059) 

Command and script execution involves the use of command-line interfaces or scripting languages to execute commands, scripts, or binaries. This technique is commonly used by threat actors for various purposes, including initial access, execution, and persistence. The following query targets this technique: 

MITRE:”T1059″ AND (commandLine:”powershell” OR imagePath:”mshta.exe”) 

Here we identify submissions that exhibit command and script execution behavior, as defined by the MITRE technique T1059, and involve either PowerShell commands or the Microsoft HTML Application Host (mshta.exe). The combination of the MITRE parameter with specific command-line or image path indicators provides insights into how threat actors leverage legitimate system tools for malicious purposes. 

This example also gives us a representation of TI Lookup’s search volume and comprehensiveness: it can deliver hundreds and thousands of relevant malware samples, indicators, artifacts, and other types of data. An analyst can limit and refine the search employing the parameters and setting, for instance, changing the search period (circled on the screenshot) from the minimum of one day to the maximum of 180 days.  

Registry-Based Persistence (T1547) 

Registry-based persistence involves modifying the Windows Registry to ensure that malware runs automatically when the system starts or when specific conditions are met. This technique is commonly used by threat actors to maintain access to compromised systems. The following query targets this technique: 

MITRE:”T1547″ AND registryKey:”CurrentVersion\Run” 

This query identifies submissions that exhibit registry-based persistence behavior, as defined by the MITRE technique T1547, and specifically target the Run key in the Windows Registry. This key is commonly used for persistence, as any executable listed here will run automatically when a user logs in. 

Advanced MITRE Correlation 

Advanced threat hunting often involves correlating multiple MITRE techniques to identify sophisticated attack patterns. The following query illustrates this approach: 

MITRE:”T1055″ AND MITRE:”T1547″ AND MITRE:”T1082″ 

This query identifies submissions that exhibit three distinct MITRE techniques: process injection (T1055), registry-based persistence (T1547), and system information discovery (T1082). 

The correlation of these techniques suggests a sophisticated attack that injects code into legitimate processes, establishes persistence through registry modifications, and attempts to collect information about the system.  

MITRE technique-focused queries can be further enhanced by incorporating additional parameters related to file properties, network communications, or threat classifications. This multidimensional approach provides a more comprehensive understanding of how specific techniques are implemented in real-world attacks and helps security teams develop more effective detection and mitigation strategies. 

3. Obfuscated File Behavior Detection 

Obfuscation is a common technique used by malware authors to hide malicious code and evade analysis. ANY.RUN TI Lookup enables the detection of various obfuscation techniques through specialized queries that focus on file behaviors and characteristics. 

Executables in Non-Standard Directories 

Malware often places executable files in non-standard directories to avoid detection and blend in with legitimate system files. The following query targets this behavior: 

fileExtension:”exe” AND NOT filePath:”Windows*” AND NOT filePath:”Program Files*” 

This query identifies executable files (.exe) that are not located in the standard Windows or Program Files directories. The combination of the fileExtension parameter with negative conditions for standard file paths helps security analysts identify potentially suspicious executables that may be attempting to hide in unusual locations. 

Script-Based Obfuscation 

Script-based obfuscation involves the use of scripting languages to hide malicious code or execute obfuscated commands. The following query targets this behavior: 

commandLine:”powershell” and fileExtension:”js” 

This query identifies JavaScript (.js) files that execute PowerShell commands (you can also search for other script types, like Visual Basic Script (.vbs) files). This pattern is commonly observed in multi-stage attacks where script files are used as initial droppers that subsequently execute obfuscated PowerShell commands. The combination of file extension parameters with command-line indicators helps security analysts identify and analyze this obfuscation technique. 

4. Persistence and Mutex Creation 

Persistence mechanisms and mutex creation are common techniques used by malware to maintain access to compromised systems and ensure that only one instance of the malware is running at a time.  

Mutexes can be explored with the aid of Object parameters: 
 
syncObjectName:”rmc” 

This query identifies submissions that contain a mutex (a synchronization object often used by malware to ensure single-instance execution) with the name “rmc”. TI Lookup provides numerous analysis results, demonstrating that this mutex belongs to the Remcos trojan.  

This approach helps security analysts identify sophisticated malware based on artifacts found in system logs. Further analysis of persistence and mutex creation can involve examining the specific values written to registry keys, analyzing the naming conventions of mutexes, and correlating these indicators with other malicious behaviors. 

5. Domain Generation Algorithm (DGA) Detection 

Domain Generation Algorithms (DGAs) are techniques used by malware to dynamically generate domain names for command and control (C2) communication. This approach helps malware evade detection and blocking by constantly changing the domains used for communication. ANY.RUN TI Lookup enables the detection of DGA-based malware through specialized queries that focus on domain characteristics and communication patterns. 

Random TLD with Active Communication 

DGA-generated domains often use uncommon or cheaper top-level domains (TLDs) to reduce costs and avoid detection. The following query targets this behavior: 

domainName:”.top” OR domainName:”.xyz” AND (destinationPort:”80″ OR destinationPort:”443″) AND threatLevel:”malicious” 

This query identifies malicious submissions that communicate with domains using the .top or .xyz TLDs over HTTP (port 80) or HTTPS (port 443). These TLDs are relatively inexpensive and are commonly used in DGA implementations. The combination of domain name patterns, communication ports, and threat classification helps security analysts identify potential DGA-based malware. 

Domain Name Patterns 

This query identifies submissions that communicate with domains deployed on Cloudflare Workers. This is a common way for attackers to host phishing pages:  
 
domainName:”.workers.dev” AND threatLevel:”malicious” 

Known DGA Families 

Certain malware families are known to use specific DGA implementations. The following query targets these associations: 

(threatName:”redline” OR threatName:”lumma”) AND domainName:”.” AND destinationIpAsn:”cloudflare” 

This query identifies submissions associated with RedLine or Lumma malware families that communicate with any domain resolved to Cloudflare’s infrastructure. These malware families are known to use DGAs, and the correlation with Cloudflare ASN (Autonomous System Number) may indicate attempts to hide behind legitimate CDN services. This approach helps security analysts identify specific malware families that employ DGAs for C2 communication. 

DGA detection can be further enhanced by analyzing temporal patterns of domain generation, examining the linguistic characteristics of generated domains, and correlating domain communications with other malicious behaviors. 

6. Malware Family Behavior Queries 

Different malware families exhibit distinct behavioral patterns that can be used for identification and analysis. ANY.RUN TI Lookup enables the detection of specific malware families through queries that target their characteristic behaviors. 

Formbook 

Formbook is a data-stealing malware that captures screenshots, logs keystrokes, and steals data from web browsers.  

threatName:”formbook” OR (MITRE:”T1055″ AND registryKey:”Windows\CurrentVersion\Run” AND fileExtension:”exe”) OR (URL:”*.php” AND httpRequestContentType:”application/x-www-form-urlencoded”) 

This query identifies submissions explicitly classified as Formbook or exhibiting behaviors characteristic of this malware family, including process injection (MITRE T1055) combined with Run registry modifications and executable files, or communication with PHP endpoints using specific content types. These indicators collectively provide strong evidence of Formbook activity. 

AsyncRAT 

AsyncRAT is a remote access trojan that provides attackers with full control over infected systems. 

threatName:”asyncrat” and commandLine:”mshta.exe” OR commandLine:”powershell” 

This query identifies submissions explicitly classified as AsyncRAT or exhibiting behaviors characteristic of this malware family, including the use of mshta.exe or PowerShell.   

Malware family behavior queries can be further enhanced by incorporating additional indicators specific to each family, analyzing temporal evolution of behaviors, and correlating family-specific indicators with broader threat intelligence. This comprehensive approach provides deeper insights into malware family behaviors and helps security teams develop more effective detection and mitigation strategies. 

7. Thematic Search Query Updates 

TI Lookup lets you subscribe to receive updates on your custom search queries. For example, you can focus on specific malware families, enabling more efficient and targeted threat hunting.  

Credential Stealers 

Credential stealing is a common objective for various malware families. The following query targets three popular credential stealers Redline, Lumma, and Formbook that access the Security Account Manager (SAM) registry key, which stores user account information.  

threatName:”redline” OR threatName:”lumma” OR threatName:”formbook” AND registryKey:”SAM\” 

By subscribing to this query, we’ll receive updates each time new search results become available in TI Lookup. This thematic approach helps security analysts focus specifically on threats targeting credentials, regardless of the specific malware family involved. 

Conclusion 

We have reviewed a number of advanced threat hunting techniques using ANY.RUN TI Lookup.  

Through detailed exploration of various query methodologies, including country-based threat detection, MITRE technique-focused queries, obfuscated file behavior detection, persistence mechanisms, domain generation algorithm detection, and malware family behavior analysis, the research demonstrates the power and flexibility of query-based threat intelligence in modern security operations.  

The correlation of different indicators through logical operators and grouping enhances detection precision and reduces false positives, allowing security analysts to focus their efforts on the most relevant threats.  

By focusing on specific threat categories and leveraging advanced query techniques, security teams can develop more efficient and effective threat detection strategies. 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, Threat Intelligence Lookup and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request trial of ANY.RUN’s services to test them in your organization → 

The post Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
• In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
• The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
• Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

---

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

Fake job interview sites mislead users to PylangGhost infection 

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

PylangGhost – Python variant of GolangGhost 

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command	Functionality
qwer	COMMAND_INFORMATION – collect information about the infected system, username, OS version etc
asdf	COMMAND_FILE_UPLOAD – file upload
zxcv	COMMAND_FILE_DOWNLOAD – file download
vbcx	COMMAND_OS_SHELL – launch an OS shell for remote access and control of the infected system
ghdj	COMMAND_WAIT – sleep for a number of seconds specified by the C2 server
r4ys	COMMAND_AUTO – browser information stealing command
89io	AUTO_CHROME_GATHER_COMMAND – subcommand of the browser information stealer command
gi%#	AUTO_CHROME_COOKIE_COMMAND – subcommand of the browser information stealer command
dghh	COMMAND_EXIT

Table 1. Commands and functionalities.

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

Comparison of Python and Golang modules 

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module	Python name	Golang name
Main function module	nvidia.py	cloudfixer.go
Configuration module	config.py	config/constans.go
Main command loop	nvidia.py	core/loop.go
Command handlers	command.py	core/loop.go
Browser Stealer functionality	auto.py	auto/* modules
File compression	util.py	util/compress.go
Base64 message encoding	command.py	command/stackcmd.go
Duplicate process check	nvidia.py	instance/check.go
Communications protocol	api.py	transport/htxp.go

Table 2. Comparison of Python and Golang RAT module names. 

Coverage  

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

IOCs 

The IOCs can also be found in our GitHub repository here.

SHA256 

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

C2 servers 

hxxp[://]31[.]57[.]243[.]29:8080 
hxxp[://]154[.]58[.]204[.]15:8080 
hxxp[://]212[.]81[.]47[.]217:8080 
hxxp[://] 31[.]57[.]243[.]190:8080

Download host names 

api[.]quickcamfix[.]online   
api[.]auto-fixer[.]online   
api[.]quickdriverupdate[.]online   
api[.]camtuneup[.]online   
api[.]driversofthub[.]online   
api[.]drive-release[.]cloud   
api[.]vcamfixer[.]online   
api[.]nvidia-drive[.]cloud   
api[.]nvidia-release[.]us   
api[.]autodriverfix[.]online   
api[.]camdriversupport[.]com   
api[.]smartdriverfix[.]cloud   
api[.]drivercams[.]cloud   
api[.]camtechdrivers[.]com   
api[.]web-cam[.]cloud   
api[.]camera-drive[.]org   
api[.]nvidia-release[.]org 
api[.]fixdiskpro[.]online 
api[.]autocamfixer[.]online

Fake job interview host names 

krakenhire[.]com  
yuga[.]skillquestions[.]com  
uniswap[.]speakure[.]com  
doodles[.]skillquestions[.]com  
www[.]hireviavideo[.]com  
kraken[.]livehiringpro[.]com  
quiz-nest[.]com  
www[.]smartvideohire[.]com  
www[.]talent-hiringstep[.]com  
provevidskillcheck[.]com  
skill[.]vidintermaster[.]com  
digitaltalent[.]review  
robinhood[.]ecareerscan[.]com  
evalswift[.]com  
livetalentpro[.]com  
quantumnodespro[.]com  
evalassesso[.]com  
parallel[.]eskillora[.]com  
coinbase[.]talentmonitoringtool[.]com  
uniswap[.]testforhire[.]com  
coinbase[.]talenthiringtool[.]com  
crosstheages[.]skillence360[.]com 
parallel [.] eskillprov [.] com 
assesstrack [.] com 
coinbase [.] talentmonitoringtool [.] com 
talent-hiringtalk[.]com 
uniswap[.]prehireiq[.]com 
fast-video-recording[.]com

Cisco Talos Blog – ​Read More