How to protect yourself from Google Forms scams | Kaspersky official blog

You’ve probably filled out a Google Forms survey at least once — likely signing up for an event, taking a poll, or gathering someone else’s contacts. No wonder you did — this is a convenient and easy-to-use service backed by a tech giant. This simplicity and trust have become the perfect cover for a new wave of online scams. Fraudsters have figured out how to use Google Forms to hide their schemes, luring victims with promises of free cryptocurrency. And all the victim has to do to fall into the trap is click a link.

Free crypto is only in a scammer’s trap

Just like parents tell their kids not to take candy from strangers, we recommend being cautious about offers that seem too good to be true. Today’s story is exactly about that. Our researchers have uncovered a new wave of scam attacks exploiting Google Forms. Scammers use this Google service to send potential victims emails offering free cryptocurrency.

"The transaction for the transfer has been verified"

“The transaction for the transfer has been verified”

As is often the case, the scam is wrapped in a flashy, tempting package: victims are lured with promises of cashing out a large sum of cryptocurrency. But before you can get your payout, the scammers ask you to pay a fee — though not right away. First, you have to click a link in the email, land on a fake website, and enter your crypto wallet details and your email address (a nice bonus for the scammers). And just like that, you wave goodbye to your money.

The scammers are counting on victims finding an offer of 1.275 BTC too hard to resist

The scammers are counting on victims finding an offer of 1.275 BTC too hard to resist

If we take a closer look at these emails, we’ll see that they don’t exactly win any awards for looking legit. That’s because, while Google Forms is a free tool that allows anyone, including scammers, to create professional-looking emails, these emails have a very specific look that’s pretty hard to pass off as a real crypto platform notification. So why do scammers use Google Forms?

Because this allows the message to slip through email filters, and there’s a good reason for that. Email messages like these are sent from Google’s own mail servers and include links to the domain forms.gle. The links look legit to spam filters, so there’s a good chance these messages will make it into your inbox. This is how scammers exploit the good reputation of this online service.

Google Forms scams are on the rise. According to some experts, the number of these scams increased by 63% in 2024 and likely continues to grow in 2025. That means one thing: you need to share this post right now with your loved ones who are just starting to explore the internet. Tell them about the most common types of scams today and how to protect themselves.

Protecting yourself from Google Forms scams

The easiest and most effective approach is to rely on a trusted security tool that alerts you whenever you try to visit a phishing website. What are some other things you can do?

  • Avoid following links in emails you weren’t expecting. Chances are, there’s nothing good behind them.
  • Avoid entering your personal information on suspicious websites. If your curiosity gets the better of you and you do click a link in an email, be absolutely sure not to enter any payment or personal information.
  • Remember the free lunch. Alert: there is no such thing. Watch out for offers promising payments or prizes — especially if they ask you to pay a commission upfront.
  • Learn how other types of scams operate and share the news of the latest threats with your loved ones.

If you’ve grown tired of all the Google Forms scams, you can set up a filter for the phrase “Create your own Google Form” in your email client. Every single Google Forms email contains that phrase, so the filter will move any messages with the text right to the spam folder. The problem with this approach is that you might miss legitimate emails from Google Forms. Here’s how to block these emails in Gmail and Outlook.

Read about other tricks that scammers have up their sleeves:

Kaspersky official blog – ​Read More

How to set up security and privacy in Garmin apps | Kaspersky official blog

Sports smartwatches continue to be a prime target for cybercriminals, offering a wealth of sensitive information about potential victims. We’ve previously discussed how fitness tracking apps collect and share user data: most of them publicly display your workout logs, including precise geolocation, by default.

It turns out that smartwatches continue that lax approach to protecting their owners’ personal data. In late June 2025, all COROS smartwatches were found to have serious vulnerabilities that exposed not only the watches themselves but also user accounts. By exploiting them, malicious actors can gain full access to the data in the victim’s account, intercept sensitive information like notifications, change or factory-reset device settings, and even interrupt workout tracking leading to the loss of all data.

What’s particularly frustrating is that COROS was notified of these issues back in March 2025, yet fixes aren’t expected until the end of the year.

Similar vulnerabilities were discovered in 2022 in devices from arguably one of the most popular manufacturers of sports smartwatches and fitness gadgets, Garmin, although these issues were promptly patched.

In light of these kinds of threats, it’s natural to want to maximize your privacy by properly configuring the security settings in your sports apps. Today, we’ll break down how to protect your data within Garmin Connect and the Connect IQ Store — two online services in one of the most widely used sports gadget ecosystems.

How to find privacy settings in Garmin Connect

The privacy settings are located in different sections of the menu depending on whether you’re using the mobile app or the web version.

In the Garmin Connect mobile app:

  1. Open Garmin Connect on your smartphone.
  2. Tap the three dots (More section) in the bottom right corner.
  3. Select Settings.
  4. Locate Profile & Privacy.
How to find the privacy settings in Garmin Connect for iOS — the process is essentially the same in the Android version of the app

How to find the privacy settings in Garmin Connect for iOS — the process is essentially the same in the Android version of the app

In the web version of Garmin Connect:

  1. Open the Garmin Connect website in a browser.
  2. Click the profile icon in the top right corner.
  3. Select Account Settings.
  4. Navigate to Privacy Settings.
How to find the privacy settings in the web version of Garmin Connect

How to find the privacy settings in the web version of Garmin Connect

There, you can adjust the visibility of your profile, activities, and steps, and even decide who can see your badges. For the highest level of privacy, we recommend selecting Only me. This ensures that your personal information, workout stats, and other data are visible only to you.

How to hide your workout locations in Garmin Connect

Revealing your routes is one of the most significant privacy risks. This could allow malicious actors to track you in near real-time.

Analysis of publicly available geodata has repeatedly revealed leaks of highly confidential information — from the locations of secret U.S. military bases exposed by anonymized heatmaps of service members’ activity, to the routes of head-of-state motorcades, pieced together from their bodyguards’ smartwatch tracking data. All this data ended up publicly accessible, not because of a hack, but due to incorrect privacy settings within the app itself, which broadcasts all of the owner’s movements online by default.

These leaks clearly showed that data from wearable sensors can cause a lot of problems for their wearers. Even if you’re not guarding top government officials, training maps can reveal your home address, workplace, and other frequently visited locations.

Garmin’s tactical watch models include a Stealth mode feature, designed specifically for military personnel. In their line of work, a lack of privacy can be a matter of life and death. However, with Garmin Connect, you can set up your own privacy zones for almost every Garmin gadget.

Setting up privacy zones:

  1. Open your Garmin Connect profile in a browser (the feature isn’t available in the mobile app).
  2. Navigate to Privacy Zones.
  3. Tap + Add New Zone.
  4. Enter your home address or some other place you want to hide.
  5. Set a zone radius — we recommend at least 500 meters.
How to set up privacy zones in Garmin Connect

How to set up privacy zones in Garmin Connect

Garmin’s Privacy Zones are quite similar to a feature Strava introduced back in 2013. They automatically hide the start and end points of your workouts if these fall within a designated area. And even if you share your workout with the whole world, it’ll be impossible to see your exact location — for example, your home.

Just a bit further up in that same section, it’s worth checking out other ways your movement data might be used: for instance, to create heatmaps based on user routes. You can opt out of sharing this kind of data. To understand what each function does and how to adjust it, simply tap Edit directly below it. A description will pop up, explaining what data is collected and how it’s used.

How to adjust advanced data collection and sharing settings in Garmin Connect

How to adjust advanced data collection and sharing settings in Garmin Connect

How to change the visibility of past activities in Garmin Connect

Changing your privacy settings won’t retroactively apply to activities you’ve already saved in Garmin Connect. Even if you crank up your privacy to the max right now, all your past recordings will still show up with the visibility settings they had when you first created them. So if you’ve been using Garmin for a while and you’re just now getting around to tweaking your privacy, you’ll want to update your previously saved activities as well.

  1. Sign in to the web version of Garmin Connect.
  2. Select Account Settings → Privacy Settings.
  3. Locate Update Past Activities, select a new level of privacy for all past workouts, and confirm your changes.
You can only change the privacy settings for your previously saved activities in the web version of Garmin Connect.

You can only change the privacy settings for your previously saved activities in the web version of Garmin Connect.

How to delete individual activities in Garmin Connect

You can remove specific saved activities so no one can see them.

  1. Open the Garmin Connect mobile app.
  2. Navigate to More → Activities → All Activities.
  3. Select the workout you want to delete.
  4. Tap the three dots in the top right corner.
  5. Tap Delete Activity.
How to remove individual workout records from Garmin Connect

How to remove individual workout records from Garmin Connect

If you need to wipe all your previously saved activities, and you have a lot of them, it might be easier to delete your old account and create a new one. However, keep in mind that deleting your account will result in the loss of all your workout data and health metrics.

How to monitor connected devices and services in Garmin Connect

Another potential source of personal data leaks comes from devices and services that have access to your Garmin Connect account. If you frequently switch out your sports gadgets, make sure you remove them from your account.

  1. Tap the device icon in the top right corner of Garmin Connect.
  2. The Devices section will open.
  3. Remove any unfamiliar or unused devices by swiping left on them.

Next, check the list of third-party apps that have access to your account:

  1. Open Settings.
  2. Navigate to Connected Apps, and remove those you no longer use.
How to remove old devices and connected apps from Garmin Connect

How to remove old devices and connected apps from Garmin Connect

How to protect yourself from vulnerabilities in Connect IQ

It’s not just incorrect privacy settings in Garmin Connect that can expose your data. Vulnerabilities in apps and watch faces available through the Connect IQ Store marketplace can also lead to data leaks. In 2022, security researcher Tao Sauvage found that the Connect IQ API developer platform contained 13 vulnerabilities. These could potentially be exploited to bypass permissions and compromise your watch.

Some of these vulnerabilities have been lurking in the Connect IQ API since its very first release back in 2015. Over a hundred models of Garmin devices were at risk, including fitness watches, outdoor navigators, and cycling computers. Fortunately, these vulnerabilities were patched in 2023, but if you haven’t updated your device since before then (or you purchased a used gadget), it’s crucial to update its firmware to the latest version.

Even though these specific vulnerabilities have been fixed, the Connect IQ Store remains a potential entry point for future threats. Because of this, we recommend the following:

  1. Avoid installing third-party watch faces and apps from unknown developers in the Connect IQ Store.
  2. Stick to official Garmin watch faces built into your device.
  3. Make sure to regularly update your Garmin devices. You can do this through Garmin Express on your desktop, or by using Garmin Connect on your smartphone.
  4. Turn off automatic app downloads from the Connect IQ Store in the settings.

General recommendations

In an era of increasing cyberthreats to IoT devices, properly configuring the privacy settings on your wearables is crucial. Your digital security doesn’t just depend on device vendors; it also relies on the steps you take to protect your personal data.

  1. Use unique passwords for all accounts, including Garmin Connect. Read more on how to create a strong and easy-to-remember password.
  2. Turn on two-factor authentication wherever possible.
  3. Double-check the privacy settings after every app update to avoid any unwelcome surprises.
  4. Curb your connections on the Garmin Connect social network.
  5. Ignore connection requests from strangers.

To manage privacy for popular apps and gadgets, be sure to use our free service, Privacy Checker. And to stay on top of the latest cyberthreats and respond quickly, subscribe to our Telegram channel. Finally, the specialized privacy protection modes in Kaspersky Premium ensure maximum security for your personal information and help prevent data theft across all your devices.

Below are detailed instructions on how to configure security and privacy for the most popular running trackers.

Kaspersky official blog – ​Read More

Beating Supply Chain Attacks: DHL Impersonation Case Study  

ANY.RUN’s services processes data on current threats daily, including attacks affecting supply chains. In this case study, we analyze examples of DHL brand abuse. The company is a leading global logistic operator, and attackers exploit its recognition to send phishing emails, potentially targeting its partners.  

We will demonstrate how ANY.RUN’s solutions can be used to identify such threats, collect technical indicators, and enhance security. Here are the key findings. 

Key Takeaways 

  • Supply chain attacks are on the rise: adversaries actively exploit third-party relationships. 
  • Real-world example: attackers impersonated DHL in phishing emails targeting partner organizations, like Meralco, using fake domains and deceptive attachments to collect credentials. 
  • HTML attachment bypasses filters: lesser-known file extensions are used. 
  • Credential theft via third-party form service: analysis with HTTPS MITM revealed a POST request containing plaintext credentials sent to a unique endpoint. 
  • Shared visual lures identified by image hash: the DHL-themed image in the phishing email was reverse-searched via its SHA256 hash, revealing five other phishing campaigns using the same lure. 
  • DHL-imitating domains and filenames as indicators: analysts identified 39 phishing domains (e.g., dhlshipment*, -dhl.) and over 300 malware samples with DHL-themed filenames (e.g., dhlreceipt*.pdf) — exposing common obfuscation patterns and phishing themes used to trick users. 

Supply Chain Attack Growing Dynamics 

A supply chain attack is a type of cyberattack where adversaries gain access to a target organization by compromising a less protected external participant in the interaction chain: a contractor, a supplier, a technology partner, or another link. 

The data from Cyble reveals supply chain attacks steady growth. From October 2024 to May 2025, an average of more than 16 incidents per month has been recorded, a 25% increase from the previous eight-month period. A sharp spike in activity was observed in April and May 2025. This dynamic indicates growing attacker interest in this attack model and its increasingly widespread use in real campaigns. 

Real-world examples include the Scattered Spider group’s attack on Australian airline Qantas. The attackers penetrated through a third party (contact center), which is typical for such attacks.

DHL Brand Abuse in Phishing Campaigns 

Suppose we are information security specialists at a company that collaborates with DHL and could be used by attackers as an intermediate link in the attack chain. 

Our task is to detect timely phishing emails disguised as official correspondence from DHL. Such messages may target company employees, contractors, or other DHL partners. 

To identify such activity, we use ANY.RUN’s YARA Search — we’ll create a rule that allows us to find .eml files mentioning DHL in the From, To, and Subject headers. This will help collect indicators, identify malicious attachments, and assess potential risks to our infrastructure. 

YARA rule search in Threat Intelligence Lookup 

The search delivered over 110 files and associated analysis sessions (tasks) from the ANY.RUN’s Interactive Sandbox. This data allows us to: 

  • Identify malicious campaigns that exploit the DHL brand, including cases of possible compromise of official email accounts and infrastructure of the company or its contractors. 
  • Identify applied tactics, techniques, and procedures (TTPs).  
  • Classify the malware involved.

Not all found objects contain malicious payloads, but many are interesting from an analytical perspective, as examples of malicious brand abuse. 

How to Detect DHL-themed Phishing in Your Infrastructure 

To effectively detect and analyze DHL-themed phishing attempts within your infrastructure, consider the following practices: 

Scan Your Endpoints with YARA Rule 

Utilize a YARA rule to scan your email endpoints for any emails related to DHL. Here’s an example of a YARA rule you can use: 

This rule helps identify emails that mention DHL in the subject line, sender, or recipient fields. 

Analyze Suspicious Emails, Files, and URLs in ANY.RUN’s Interactive Sandbox 

ANY.RUN’s Interactive Sandbox allows you to safely open and interact with suspicious files and URLs.  

You can safely open emails and click through any attachments or links within a controlled environment. This helps in understanding the full attack chain from the initial phishing email to the execution of any malicious payloads. 

Use TI Lookup to Gather Context on Alerts 

Leverage ANY.RUN’s Threat Intelligence Lookup to quickly verify whether an artifact (URLs, file hashes, or even command line activities) involved in an alert within your company is associated with a specific attack.  

Gather context on the alerts by identifying related campaigns and understanding the broader context of the attacks. This helps in recognizing common tactics, techniques, and procedures (TTPs) used by attackers, allowing for faster and more accurate responses to potential threats. 

Case Study: Analyzing a Phishing Email targeting DHL counterparties 

We shall analyze in ANY.RUN’s Sandbox one of the emails found by YARA scanning.  

View sandbox analysis 

Pseudo-DHL email with a phishing attachment 

The email sender masquerades as DHL Express International. The “From” field displays the corresponding display name, but the actual sender address Haalasolamagic@cirrcor[.]com belongs to a third-party organization not affiliated with DHL. 

The email is directed to an address in the meralco[.]com[.]ph domain, belonging to Meralco, the largest energy company in the Philippines. Previously, DHL objects were mentioned in Meralco’s planned power outage notifications, and in May 2025, Meralco’s subsidiary MSpectrum announced a joint project with DHL Supply Chain Philippines. 

Based on this, we can assume that the cooperation between DHL and Meralco does exist, and the attackers’ use of such an addressee may not be coincidental. 

The email looks like a part of an attempt at a supply chain attack. The email is not directed to DHL, but to an organization affiliated with it. The use of corporate identity and business context may be part of a scenario where attackers try to gain access to the main target through its partners or contractors — a typical technique in targeted campaigns. 

IMPORTANT: Please report all instances of DHL impersonation to the company’s official Anti-Abuse Mailbox.

Email Content Analysis 

The email body uses DHL’s corporate identity and phrasing typical for business correspondence. The recipient is asked to open an attachment — a file named “Draft BL & Shipping Invoice.shtm,” allegedly containing a preliminary invoice and waybill for confirmation. The .shtm (a variant of .html) extension is likely used for masking and bypassing email filters. 

When the attached file is opened in a browser, a DHL-styled web page is displayed with a password submission form. The user is asked to authenticate to view an allegedly encrypted document supposedly sent from DHL. This is typical for phishing pages imitating official delivery services and used to collect credentials. 

Web page with fake credential-stealing authentication form 

Network Activity Analysis 

The network activity generated while interacting with this form contains a request to submit-form[.]com.  

submit-form.com in the Connections section of the Sandbox analysis 

This service is used to collect data entered in HTML forms and allows redirecting it directly to a specified email address. 

If we try to analyze the network request sent when entering data into the form, we’ll only see a connection through port 443. The connection is encrypted, and its content, including the entered password, is not available for viewing without applying MITM methods. 

MITM Analysis

To get more information, we restart the analysis of this email in ANY.RUN’s Sandbox with the HTTPS-MITM-PROXY (MITM) function enabled to get access to the network packet contents.  

Click Restart in a sandbox session to run the analysis with different parameters 

View analysis  

In the new analysis with MITM enabled, we open the attached .shtm file and enter a password in the form, for example “password999,” then click “View Document”. 

Going to the HTTP Requests tab, we find a POST request sent to https://submit-form[.]com/7zFSu099A.  

submit-form.com request in the HTTP Requests section of the Sandbox analysis 

The request contents confirm the transfer of entered data: the request body contains form field values, including the entered password. This proves that the attacker uses the third-party service submit-form[.]com to collect authentication data entered by the victim on the phishing page. 

Request forwarding user’s password 

Submit-form dot com Usage Analysis 

Using ANY.RUN Threat Intelligence Lookup to check the submit-form[.]com domain and related campaigns, we find more than 200 public analyses featuring the website. Most are marked as malicious: attackers actively use submit-form[.]com to intercept data entered on phishing pages, including passwords and email addresses. 

domainName:”submit-form.com” 

Sandbox analyses featuring the website for exfiltrated user data 

Now we can estimate the relevance and scale of such threats and make decisions about blocking/monitoring of this domain. 

Image-Based Search for Similar Attacks 

To find additional indicators of similar attacks, we have analyzed the image imitating DHL design used in the email above. Using this image, we can find other phishing campaigns using the same file, thus expanding our set of indicators and understanding of brand abuse scale. 

Image from the phishing email searchable by hash in TI Lookup 

We extract the image’s SHA256 hash from the static analysis and perform a search for the image through ANY.RUN’s TI Lookup.   

The image’s hash in the file analysis 

The search returns 5 analyses featuring identical images. They were used in campaigns targeting various addresses that may belong to potential contractors, clients, or company employees. 

Hash search results: sandbox analyses of similar attacks 

These analyses allow us to study additional social engineering techniques and various phishing strategies and to collect threat indicators: email subjects, sender IP addresses, malicious domains.  

Identifying Malicious Domains Imitating DHL 

Now we search for domains that imitate official DHL resources to understand what phishing domains might be used to masquerade as partner organizations. This helps us understand: 

  • What tactics and methods attackers use. 
  • How such resources are designed (appearance, structure, content copying).
  • What payload they may distribute. 

A simple query in ANY.RUN’s TI Lookup allows us to find phishing domains imitating DHL, focusing on typical patterns used in the logistics industry, including campaigns masquerading as delivery notifications, documents, or cargo movements. 

domainName:”dhl.” or domainName:”dhlshipment*” OR domainName:”dhldocument*” 

Domains imitating DHL notifications in malware samples 

The query results provide access to 39 public analyses containing the specified patterns. This data can be used to enrich IOC collection and improve phishing detection and filtering by security systems.  

Analyzing Files Imitating Legitimate DHL Attachments 

Additionally, we can search for the names of files uploaded to ANY.RUN that contain mentions of the partner company. This analysis helps to: 

  • Identify popular malware distribution schemes abusing DHL. 
  • Determine which malware families are employed. 
  • Collect related indicators — file names, hashes, attachments. 
  • Obtain data on vulnerabilities used by attackers. 

Here is a TI Lookup query exposing files imitating legitimate DHL attachments:  
 
filePath:”dhlreceipt*” or filePath:”dhlshipment*” or filePath:”dhldelivery*” 

Malware samples containing files with DHL-related names 

We have found over 300 analyses containing the requested patterns in file names. Not all of them are malicious, but a significant portion is worth analyzing for updating filters, detection rules, and raising awareness about DHL masquerading techniques in recent attacks.

Conclusion 

In this case study, we demonstrated how ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup can be used to identify threats related to potential supply chain attacks. Using DHL as an example, we analyzed activity targeting its partners and contractors — from phishing emails to impersonating domains. 

Such activity may be part of preparation for supply chain attacks. The presented methods allow timely identification of such risks and adaptation of approaches to the specifics of a particular organization. 

About ANY.RUN

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.    

  • Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions. 
  • Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.  

 Request a trial of ANY.RUN’s services to see how they can boost your SOC workflows. 

The post Beating Supply Chain Attacks: DHL Impersonation Case Study   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Meet Hazel Burton

Meet Hazel Burton

Welcome to the first episode of Humans of Talos, a new video interview series that shines a spotlight on team members across Talos. Featuring their personal stories, career journeys and unique perspectives, you’ll get an inside look into what it’s like to work in our organization and the people who make the internet more secure for all.

Amy Ciminnisi: Hello and welcome to the first episode of Humans of Talos! I’m here with Hazel Burton, who should be a familiar face to most of you. I’m curious: What led you to your role at Talos? What made you want to join?

Hazel Burton: I’d always worked in small businesses before and always had a bit of an entrepreneurial mindset because of that. I just started doing things that I wasn’t supposed to be doing! I commandeered an office in one of the small businesses, turned it into a TV studio and started creating security content. That somehow led me on a path to joining Cisco.

I was doing a lot of storytelling and communications around some of the main challenges that people in this industry go through, but I was always finding excuses to work with Talos. I love the people at Talos, but I also love the ethos: doing the right thing, even if it makes no commercial sense whatsoever. So when I was asked to hop over the fence and work full-time at Talos leading content programs and and data-driven stuff, it was an opportunity to help a really strong organization rooted in that ethos to do what they do best and make things easier for people in this industry. So it was a pretty easy decision to make to join Talos.

AC: Following that, what advice you would give to someone who would want to join Talos?

HB: Ask bold questions would be my first piece of advice. This is a very safe space to be able to do things like that. Ask, “Could this work? What if we tried this?” I promise you, you will be hired based on you asking those questions and you will be trusted to find the answers, even if the answer is, “Yeah, that didn’t work at all, did it? Oh, well.”

The other one — I don’t know if I can say this, you might want to bleep it out — but don’t be an arsehole. The people that we work with are as generous as they are amazingly smart and talented. So sharing their knowledge, helping each other out, not mocking someone for not knowing something, saying, “I don’t have any experience in this, can you help me?” That is what Talos is about. If you are only looking after number one, then probably don’t join Talos. But if you do want to be part of something where everyone has your back, then do.

The third thing that I think is really important for people to know, because they might have been burned by this before, is that we do actually have a leadership team who fights to give Talos people the air cover that they need when they need to go out and do things. So, it happens quite often where we’ll have to drop something and go to a rapid response effort — because, you know, the world — and we’re given the resources to be able to do that and the air cover. So if you don’t have that at the moment, trust me: When you find it, it’s the most amazing thing in the world because you know that you are going to have a clear runway. That is the nature of how the organization works.

AC: Yeah. It doesn’t just help the person grow their own skillset, it doesn’t just help Talos — but having that airway helps everyone as a whole, the cybersecurity community and beyond.

HB: Also, bring your own nerdy self to work! Again, it’s a very safe place to do that.

For more, watch the full interview.

Cisco Talos Blog – ​Read More

Why is your data worth so much? | Unlocked 403 cybersecurity podcast (S2E4)

Behind every free online service, there’s a price being paid. Learn why your digital footprint is so valuable, and why you might be the product.

WeLiveSecurity – ​Read More

Common mistakes in using CVSS | Kaspersky official blog

When you first encounter CVSS (Common Vulnerability Scoring System), it’s easy to think this is the perfect tool for triaging and prioritizing vulnerabilities. A higher score must mean a more critical vulnerability, right? In reality, that approach doesn’t quite work out. Every year, we see an increasing number of vulnerabilities with high CVSS scores. Security teams just can’t patch them all in time, but the vast majority of these flaws are never actually exploited in real-world attacks. Meanwhile, attackers are constantly leveraging less flashy vulnerabilities with lower scores. There are other hidden pitfalls too — ranging from purely technical issues like conflicting CVSS scores to conceptual ones like a lack of business context.

These aren’t necessarily shortcomings of the CVSS itself. Instead, this highlights the need to use the tool correctly, as part of a more sophisticated and comprehensive vulnerability management process.

CVSS discrepancies

Do you ever notice how the same vulnerability might have different severity scores depending on the available source? One score from the cybersecurity researcher who found it, another from the vendor of the vulnerable software, and yet another from a national vulnerability database? It’s not always just a simple mistake. Sometimes, different experts can disagree on the context of exploitation. They might have different ideas about the privileges with which a vulnerable application runs, or whether it’s internet-facing. For instance, a vendor might base its assessment on its recommended best practices, while a security researcher might consider how applications are typically configured in real-world organizations. One researcher might rate the exploit complexity as high, while another deems it low. This isn’t an uncommon occurrence. A 2023 study by Vulncheck found that 20% of vulnerabilities in the National Vulnerability Database (NVD) had two CVSS3 scores from different sources, and 56% of those paired scores were in conflict with each other.

Common mistakes when using CVSS

For over a decade, FIRST has advocated for the methodologically correct application of CVSS. Yet organizations that use CVSS ratings in their vulnerability management processes continue to make typical mistakes:

  1. Using the CVSS base score as the primary risk indicator. CVSS measures the severity of a vulnerability — not when it will be exploited or the potential impact of its exploitation on the organization under attack. Sometimes, a critical vulnerability is harmless within a specific company’s environment because it resides in insignificant and isolated systems. Conversely, a large-scale ransomware attack might begin with a seemingly innocuous information leak vulnerability with a CVSS score of 6.
  2. Using the CVSS Base score without Threat/Temporal and Environmental adjustments. The availability of patches, public exploits, and compensatory measures significantly influences how and how urgently a vulnerability should be addressed.
  3. Focusing only on vulnerabilities above a certain score. This approach is sometimes mandated by government or industry regulators (“remediate vulnerabilities with CVSS score above 8 within one month”). As a result, cybersecurity teams face a continuously growing workload that, in reality, doesn’t make their infrastructure more secure. The number of vulnerabilities with high CVSS scores identified annually has been rapidly increasing over the past 10 years.
  4. Using CVSS to assess the likelihood of exploitation. These metrics are poorly correlated: only 17% of critical vulnerabilities are ever exploited in attacks.
  5. Using only the CVSS rating. The standardized vector string was introduced in CVSS so that defenders could understand the details of a vulnerability and independently calculate its importance within their own organization. CVSS 4.0 was specifically revised to make it easier to account for business context using additional metrics. Any vulnerability management efforts based solely on a numerical rating will largely be ineffective.
  6. Ignoring additional sources of information. Relying on a single vulnerability database and analyzing only CVSS is insufficient. The absence of data on patches, working proofs of concept, and real-world exploitation cases makes it difficult to decide how to address vulnerabilities.

What CVSS doesn’t tell you about a vulnerability

CVSS is the industry standard for describing a vulnerability’s severity, the conditions under which it can be exploited, and its potential impact on a vulnerable system. However, beyond this description (and the CVSS Base score), there’s a lot it doesn’t cover:

  • Who found the vulnerability? Was it the vendor, an ethical researcher who reported the flaw and waited for a patch, or was it a malicious actor?
  • Is there an exploit publicly available? In other words, is there readily available code to exploit the vulnerability?
  • How practical is it to exploit in real-world scenarios?
  • Is there a patch? Does it cover all vulnerable software versions, and what are the potential side effects of applying it?
  • Should the organization address the vulnerability? Or does it affect a cloud service (SaaS) where the provider will automatically fix the defects?
  • Are there signs of exploitation in the wild?
  • If there are none, what’s the likelihood attackers will leverage this vulnerability in the future?
  • Which specific systems within your organization are vulnerable?
  • Is the exploitation practically accessible to an attacker? For example, a system might be a corporate web server accessible to anyone online, or it could be a vulnerable printer physically connected to a single computer that has no network access. A more complex example might be a vulnerability in a software component’s method, where the specific business application using that component never actually calls the method.
  • What would happen if the vulnerable systems were compromised?
  • What’s the financial cost of such an event to the business?

All these factors significantly influence the decision of when and how to remediate a vulnerability — or even if remediation is necessary at all.

How to amend CVSS? RBVM has the answer!

Many factors that are often hard to account for within the confines of CVSS are central to a popular approach known as risk-based vulnerability management (RBVM).

RBVM is a holistic, cyclical process, with several key phases that repeat regularly:

  • Inventorying all IT assets of your business. This includes everything from computers, servers and software, to cloud services and IoT devices.
  • Prioritizing assets by importance: identifying your crown jewels.
  • Scanning assets for known vulnerabilities.
  • Enriching the vulnerability data. This includes refining CVSS-B and CVSS-BT ratings, incorporating threat intelligence, and assessing the likelihood of exploitation. Two popular tools for gauging exploitability are EPSS (another FIRST rating that provides a percentage probability of real-world exploitation for most vulnerabilities), and consulting databases like CISA KEV, which contains information about vulnerabilities actively exploited by attackers.
  • Defining the business context: understanding the potential impact of an exploit on vulnerable systems, considering their configurations and how they’re used within your organization.
  • Determining how the vulnerability can be neutralized through either patches or compensatory measures.
  • The most exciting part: assessing the business risk and setting priorities based on all the gathered data. Vulnerabilities with the highest probability of exploitation and possible significant impact on your key IT assets are prioritized. To rank vulnerabilities, you can either calculate CVSS-BTE — incorporating all collected data into the Environmental component, or use alternative ranking methodologies. Regulatory aspects also influence prioritization.
  • Setting deadlines for each vulnerability’s resolution based on its risk level and operational considerations, such as the most convenient time for updates. If updates or patches aren’t available, or if their implementation introduces new risks and complexities, compensatory measures are adopted instead of direct remediation. Sometimes, the cost of fixing a vulnerability outweighs the risk it poses, and a decision might be made not to remediate it at all. In such cases, the business consciously accepts the risks of the vulnerability being exploited.

In addition to what we’ve discussed, it’s crucial to periodically analyze your company’s vulnerability landscape and IT infrastructure. Following this analysis, you need to introduce cybersecurity measures that prevent entire classes of vulnerabilities from being exploited or significantly boost the overall security of specific IT systems. These measures can include network micro-segmentation, least privilege implementation, and adopting stricter account management policies.

A properly implemented RBVM process drastically reduces the burden on IT and security teams. They spend their time more effectively as their efforts are primarily directed at flaws that pose a genuine threat to the business. To grasp the scale of these efficiency gains and resource savings, consider this FIRST study. Prioritizing vulnerabilities using EPSS alone allows you to focus on just 3% of vulnerabilities while achieving 65% efficiency. In stark contrast, prioritizing by CVSS-B requires addressing a whopping 57% of vulnerabilities with a dismal 4% effectiveness. Here, “efficiency” refers to successful remediation of vulnerabilities that have actually been exploited in the wild.

Kaspersky official blog – ​Read More

Turn Alert Noise into Threat Insights without Leaving QRadar SOAR with ANY.RUN 

IBM QRadar SOAR is a go-to platform for incident response. To make things faster and easier for SOCs to use this powerful tool with ANY.RUN’s services, we built an official app. Now you can seamlessly launch different playbooks directly inside SOAR to streamline threat analysis, speed up investigations, and reduce Mean Time to Respond (MTTR) in your SOC.  

Here’s how your team can benefit from the new integration. 

Streamline Your SOC Workflows 

ANY.RUN app for IBM QRadar SOAR 

The app available on IBM Exchange allows SOC teams to start using ANY.RUN’s services in a more flexible and seamless way to detect threats and resolve incidents faster. The setup takes a few seconds as you only need an API key to connect your ANY.RUN account to QRadar SOAR, eliminating the need for custom development.  

With this integration, you can get IOCs and verdicts from the sandbox and indicator context from TI Lookup to simplify triage and enrich incident data. 

  • Early Threat Detection: Real-time data from sandbox analyses and TI Lookup enable you to identify and respond to new attacks at their earliest stages. 
  • Automation of Routine Tasks: Prebuilt playbooks enable automatic or manual actions, saving time for Tier 1 and Tier 2 analysts. 
  • Reduced Response Times: Cuts incident analysis time by automating enrichment and analysis processes. Results feed directly into SOAR playbooks, enabling rapid isolation, blocking, or escalation based on your workflows. 

Proactive Threat Analysis with Interactive Sandbox 

ANY.RUN playbook library 

ANY.RUN’s Interactive Sandbox is a cloud-based service for analysis of suspicious files and URLs. It provides SOC teams with instant access to fully interactive Windows, Linux, and Android virtual machines, allowing you to engage with the system and the sample at hand and detonate every stage of the attack, from opening an email attachment to solving a CAPTCHA. 

The sandbox logs and marks malicious network traffic, processes, registry and file modifications, providing instant visibility into the threat’s behavior. For each analysis, it generates a comprehensive report with a threat level verdict, IOCs, and TTPs.  

With IBM QRadar SOAR integration, your SOC team can use the Automated Interactivity of the Sandbox to:  

  • Triage Files and URLs: Send suspicious files or URLs from IBM QRadar SOAR to ANY.RUN’s Sandbox for instant analysis, reducing manual effort. 
  • Gain Deep Behavioral Insights: Access detailed logs of malicious activities, including network traffic, processes, and file changes, for thorough threat understanding. 
  • Auto-Detonate Multi-Stage Attacks: Take advantage of Automated Interactivity for automated execution of user actions such as archive extraction, CAPTCHA solution, and payload launching to reach the final stage of the attack and ensure complete detection. 

For the most accurate results, it’s recommended to avoid manual interference during the sandbox session. Let the analysis run to completion, so all behavior stages can be observed and properly logged. 

Integrate ANY.RUN’s Interactive Sandbox in your SOC
Automate threat analysis, cut MTTD, & boost detection rate 



Contact us


Instant Incident Enrichment with TI Lookup 

ANY.RUN TI Lookup playbook 

Threat Intelligence Lookup contains a database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Action (IOAs) extracted from live sandbox analyses of active malware and phishing attacks across 15,000 organizations.  

It lets you search across various types of indicators, from IPs and domains to mutexes and registry keys. Since all data comes from real-time detonation of threats, TI Lookup always offers fresh indicators, available within hours and even minutes after the attack happened.  

With IBM QRadar SOAR integration, your SOC team can use TI Lookup to:  

  • Enrich Incidents Automatically: Pull detailed threat intelligence for key indicator types, including DNS Name, File Name, File Path, IP Address, MD5, SHA-1, SHA-256, Mutex, Port, Process Name, Registry Key, and URL, directly into SOAR incidents. 
  • Add Behavioral Threat Context: Enhance indicators with behavioral insights from live sandbox analyses, providing deeper context for threat understanding. 
  • Speed Up Threat Assessment: Use fresh, high-quality data from 15,000 organizations to quickly evaluate and prioritize potential threats. 

Get instant threat context with TI Lookup
Act faster. Slash MTTR. Stop breaches early 



Contact us


What Your Team Gains: Business and Operational Benefits 

The IBM QRadar SOAR integration with ANY.RUN delivers measurable performance gains across your SOC, improving key metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), while enhancing decision-making at every level. 

  • Cost and Time Savings: Lower analyst workload by automating repetitive tasks, allowing focus on critical threats. 
  • Increased SOC Efficiency: Streamline triage, investigation, and escalation for Tier 1 and Tier 2 analysts with built-in automation and enriched data, reducing alert fatigue and manual steps. 
  • Enhanced Decision-Making and Process Improvement: Use detailed Sandbox reports and enriched data to create more effective rules, update response playbooks, and train detection models. 
  • Proactive Threat Management: Detect emerging threats earlier with fresh, behavior-based data from real-time malware analysis. TI Lookup and Sandbox insights help you uncover stealthy or multi-stage attacks that traditional tools may miss. 
  • Stronger ROI from Existing Tools: Maximize the value of your SOAR investment by extending its capabilities with behavioral analysis and contextual enrichment, no additional infrastructure required. 

How to Get Started 

Getting started with the ANY.RUN app in IBM QRadar SOAR takes just a few steps: 

1. Install the App from IBM App Exchange 

Simply find the official ANY.RUN app and install it in your SOAR environment; no coding or custom development needed. 

Install the ANY.RUN app from IBM App Exchange 

2. Connect Using Your ANY.RUN API Key 

In the integration settings, add your API key to connect your ANY.RUN account. You can choose to activate: 

  • TI Lookup only for real-time IOC enrichment 
  • Sandbox only for dynamic file and URL analysis 
  • Both modules together for full access to enrichment and behavioral analysis 

Both modules are available to paid ANY.RUN users and can be used independently or in combination, depending on your license. 

Add your API key to connect your ANY.RUN account 

3. Use or Customize the Playbooks 

Use the pre-configured playbooks that come with the integration or customize them to fit your SOC workflows. 

Pre-configured playbook example 

4. Automate Enrichment and Analysis in Your Incidents 

Once configured, you can begin automating threat investigation steps directly within IBM QRadar SOAR: 

  • Pull data from TI Lookup by sending artifacts (IPs, hashes, domains, etc.) and retrieving JSON-based enrichment with real-time threat intelligence 
  • Send files and URLs to Sandbox and receive key indicators, behavioral tags, verdicts, and detailed reports (PDF/JSON), all injected back into the incident 
Data pulled from ANY.RUN’s TI Lookup 

This lets your analysts make faster decisions, automate triage, and reduce response time without manual switching between tools. 

Integrate ANY.RUN with Other Solutions and Vendors 

ANY.RUN supports multiple integrations with popular security products. Check out the list to see how you can streamline workflows in your SOC.  

About ANY.RUN 

ANY.RUN is trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and beyond. Our services help security teams investigate threats faster and with greater confidence. 

Accelerate response times with our Interactive Sandbox: Analyze suspicious files in real time, uncover malicious behavior, and support quick decision-making. 

Enhance detection capabilities using Threat Intelligence Lookup and TI Feeds: Give your team the context they need to stay ahead of evolving cyber threats. 

Reach out to us for a 14-day trial of ANY.RUN’s service now → 

The post Turn Alert Noise into Threat Insights without Leaving QRadar SOAR with ANY.RUN  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ToolShell: Details of CVEs Affecting SharePoint Servers

ToolShell: Details of CVEs Affecting SharePoint Servers

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

Vulnerability details 

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin

Coverage 

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Related existing BP Rules: 

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

ToolShell: Details of CVEs Affecting SharePoint Servers

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).  

Cisco Talos Blog – ​Read More

Update Microsoft SharePoint ASAP | Kaspersky official blog

Unknown malefactors are actively attacking companies that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. By exploiting a chain of two vulnerabilities – CVE-2025-53770 (CVSS rating – 9.8) and CVE-2025-53771 (CVSS rating – 6.3), attackers are able to execute malicious code on the server remotely. The severity of the situation is highlighted by the fact that patches for the vulnerabilities were released by Microsoft late Sunday night. To protect the infrastructure, researchers recommend installing the updates as soon as possible.

The attack via CVE-2025-53770 and CVE-2025-53771

Exploitation of this pair of vulnerabilities allows unauthenticated attackers to take control of SharePoint servers, and therefore not only gain access to all the information stored on them, but also use the servers to spread their attack on the rest of the infrastructure.

Researchers at EYE Security state that even before the Microsoft bulletins were published, they had seen two waves of attacks using this vulnerability chain, resulting in dozens of servers being compromised. Attackers install web shells on vulnerable SharePoint servers and steal cryptographic keys that can later allow them to impersonate legitimate services or users. This way they can to gain access to compromised servers even after the vulnerability has been patched and the malware destroyed.

Relationship to CVE-2025-49704 and CVE-2025-49706 vulnerabilities (ToolShell chain)

Researchers noticed that the exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerability chain is very similar to the ToolShell chain of two other vulnerabilities, CVE-2025-49704 and CVE-2025-49706, demonstrated in May, as part of the Pwn2Own hacking competition in Berlin. Those two were patched by previously released updates, but apparently not perfectly.

By all indications, the new pair of vulnerabilities is an updated ToolShell chain, or rather a bypass of the patches that fix it. This is confirmed by Microsoft’s remarks in the description of the new vulnerabilities: “Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

How to stay safe?

The first thing to do is install the patches, and before rolling out the emergency updates released yesterday, you should install the regular July KB5002741 and KB5002744. At the time of writing this post, there were no patches for SharePoint 2016, so if you’re still using this version of the server, you’ll have to rely on compensating measures.

You should also make sure that robust protective solutions are installed on the servers and that the Antimalware Scan Interface (AMSI), which helps Microsoft applications and services to interact with running cybersecurity products, is enabled.

Researchers recommend replacing machine keys in ASP.NET on vulnerable SharePoint servers (you can read how to do this in Microsoft’s recommendations), as well as other cryptographic keys and credentials that may have been accessed from the vulnerable server.

If you have reason to suspect that your SharePoint servers have been attacked, it is recommended that you check them for indicators of compromise, primarily the presence of the malicious spinstall0.aspx file.

If your internal incident response team lacks the in-house resources to identify indicators of compromise or remediate the incident, we advise you to contact third-party experts.

Kaspersky official blog – ​Read More

Malware Trends Report, Q2 2025: Know the Key Risks to Your Business

What’s Inside the Report

Malware Trends 2025
Get your free copy of the report to save time on research

Over 15,000 companies across finance, healthcare, government, and other industries analyze suspicious files and URLs inside ANY.RUN’s Interactive Sandbox to ensure early threat detection. The data from these analyses becomes freely available through Threat Intelligence Lookup, helping other organizations enrich their investigations with fresh threat context, accelerate response, and strengthen proactive defense. 

Each quarter, we dive into the last three months of this data to spotlight key trends that shape strategic planning of numerous organizations for the next quarter. ANY.RUN’s Malware Trends Report provides a comprehensive breakdown of the cyber threat landscape. The report saves organizations hours of research with actionable insights to boost security resilience. 

Key threats covered in the report:

Previous Reports

ANY.RUN publishes quarterly malware trends reports along with the final annual report. Below are links to reports from 2024 and 2025:

To see reports for 2023, please click here

Learn all about the most recent malware trends to keep track of growing threats and stay alert to protect your organization. 

About ANY.RUN

ANY.RUN’s services are used by SOC teams and companies across different industries, including finance, manufacturing, healthcare, and technology.

The Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, & Android systems. It provides capabilities for hands-on and in-depth investigations of complex malware and phishing scenarios.

Threat Intelligence Lookup enables organizations to enrich their knowledge on active cyber attacks, while TI Feeds allow businesses to expand threat coverage and detection.

Integrate ANY.RUN to level up your cyber resilience →

The post Malware Trends Report, Q2 2025: Know the Key Risks to Your Business appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More