Release Notes: Threat Intelligence Reports, New Website Design, & Enhanced Detection

Hey, cybersecurity enthusiasts! 

February brought major enhancements to ANY.RUN, improving threat intelligence, detection capabilities, and overall user experience. 

With the launch of Threat Intelligence Reports, security professionals now have access to detailed, expert-driven analyses of cyber threats, malware, and APT activities.

We also introduced a redesigned website, making navigation more intuitive and structured. 

On the detection side, we significantly improved our threat-hunting capabilities, adding 314 new Suricata rules, refining behavior signatures, and expanding our YARA rule database. These updates strengthen real-time threat visibility and detection accuracy, helping analysts respond faster to emerging cyber threats. 

Let’s take a closer look at February’s updates and how they enhance your malware-hunting workflow. 

Product Updates 

Threat Intelligence Reports

In February, ANY.RUN introduced Threat Intelligence Reports in TI Lookup: detailed research on cyber threats, providing security professionals and decision-makers with actionable insights. 

Curated by our experts, these reports support threat monitoring, incident response, R&D, and strategic planning, covering malware, ransomware, phishing campaigns, and APTs.  

Built on real-world threat data, sources include our Interactive Sandbox, TI Lookup, and community-driven malware analyses. 

View sample report on APT41 Attacks    

An example of a recent TI report

How to access TI Reports 

Paid TI Lookup users get full reports, while summaries and select reports are available for free. 

  1. Go to intelligence.any.run
  1. Click the TI Reports icon on the left. 
  1. Select a report from the feed. 

New reports are marked with a “New” badge for quick access. 

Try premium features of ANY.RUN for free 



Get 14-day trial


What’s inside TI Reports? 

Each report provides a detailed threat overview, covering key aspects such as: 

  • Threat actor or malware profile: Origins, objectives, targeted industries, and regions. 
  • TTPs: Methods used by attackers, helping in detection and mitigation. 
  • IOCs, IOBs, IOAs: Critical data for identifying threats in your environment. 
  • YARA and SIGMA rules: Ready-to-use detection rules for security systems. 
  • Sandbox analysis links: Direct access to real-world threat samples in action. 
  • Additional references: Supporting research and external resources for deeper insights. 

New Website Design: A More User-Friendly Experience 

In February, we introduced a redesigned ANY.RUN website, making it more intuitive, structured, and easier to navigate. The new design makes sure that all essential cybersecurity resources and solutions are now better organized and easily accessible. 

The new redesigned webpage of ANY.RUN

Whether you’re exploring threat intelligence, running sandbox analyses, or researching cybersecurity insights, the updated layout enhances usability for both security experts and new users. 

Threat Coverage Updates 

Suricata Rules 

In February, we added 314 new Suricata rules, strengthening our network-based threat detection. Notable updates include: 

  • A Booking.com phishing rule, designed to detect fraudulent activity targeting users. 
  • A rule for Australia Gov phishing attempts, though it covers only partial cases due to dynamic URL changes and regional access restrictions. 

New Behavior Signatures 

This month, we expanded behavior-based detection, adding new mutex findings, threat detections, and suspicious activity signatures. These updates improve the ability to track malware persistence mechanisms and evasive techniques in real-time. 

New Malware & Threat Detections 

Suspicious Activities & Evasion Techniques 

  • Disabling Windows security features: 
  • Firewall 
  • SmartScreen 
  • Task Manager 
  • Command Prompt 
  • Remote Desktop Access 

Additional Mutex Detections 

  • Darkside, Crytox, Xtreme, Funlocker, Redlocker, Roblox, Aida64, Smartsteamemu, Processlasso, Cactus, Phobos 
  • Nitrogen (mutex & detection) 
  • Various software-related mutex detections, including COYOTE mutex, Proxifier, Wireshark, Java, Adguardvpn, Cheatengine, Opera, Electron Js, Adobeinstaller, Hotbar, Quickdriverupdater, And Pcappstore 

New YARA Rule Updates 

In February, we expanded our YARA rule database, enhancing malware detection and classification. The latest rules target a variety of stealers, RATs, ransomware, and loaders, improving detection accuracy for emerging threats. 

  • Spearal 
  • Veaty 
  • Clipog 
  • Cerbfyne 
  • Funklocker 
  • Redlocker 
  • Cloudscout 
  • MillenniumRAT 
  • JasonRAT 
  • Meduza 
  • CelestialRAT 
  • RansomHub 
  • Xorist 
  • Hellcat 
  • HKBot 
  • MiyaRAT 
  • Zhong 
  • DarkTrack 


ANY.RUN cloud interactive sandbox interface

Sandbox for Businesses

Discover all features of the Enterprise plan designed for businesses and large security teams.



About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Release Notes: Threat Intelligence Reports, New Website Design, & Enhanced Detection appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to safely convert files | Kaspersky official blog

You almost certainly know the situation when a friend or colleague sends you files in a format you can’t open. For example, you asked for photos, expecting JPEGs or PNGs, but instead they arrive in HEIC format. What do most people do in this case? That’s right, they look for a free online file-converter.

If you’re a long-time reader of our Kaspersky Daily blog, you probably already know that the most popular method of doing most anything is hardly ever the safest. File conversion is no different. Let’s figure out together what threats are lurking inside free online-converters, and find out how to change file format safely.

Why is this important? Because converting a file is not simply a matter of changing its extension — otherwise you could just rename the file from, say, EPUB to MP3. Instead, the converter program must read the file, understand what it contains, convert the data and re-save it in a different format — and each of these stages poses its own threats.

Personal data leakage, malware, and other threats

The first risk that springs to mind is personal data leakage. Even if you’re a “who on earth needs my data?” kind of person, you should still take care: your vacation snaps may be of no use to anyone, but confidential work documents are a different kettle of fish. When you upload a file to an online converter, you can never be sure that the site won’t save a copy of your file for its own purposes. Uploaded data can easily end up in the hands of scammers, and even be used to launch an attack on your company. And if you get fingered as the intruders’ entry point into the corporate network, your infosec team will hardly be thanking you.

If you think this threat applies solely to text or spreadsheet documents, and that a photo of some accounting statement can be safely uploaded and converted to PDF, think again. Optical character recognition (OCR) was invented last century, and now, with AI, even mobile Trojans have learned to extract data of interest to attackers from photos in your smartphone gallery.

Another common risk is malware infection. Some dubious converter sites may modify your files or add malicious code to the converted file — and without reliable protection you won’t know about it until it’s too late. The converted files may contain scripts, Trojans, macros, and other nasty stuff we’ve covered in detail many times.

Converter sites may also be phishing, so services asking you to register, enter a load of personal data, and buy a subscription just to convert a file from, say, PDF to DOC, should be eyed with suspicion. If you still plan to use an online converter, look for one that doesn’t require registration, and never give it your payment details.

How to convert files locally

The safest way is to convert files locally; that is, on your own device without using third-party sites. This way, the data is guaranteed to remain confidential — at least until you connect to the internet. You can change a file’s format using either system tools or popular programs.

For text and spreadsheet files, as well as presentations, Microsoft Office can help. It can read many file formats using the File → Open or File → Import commands (depending on the version of Office and the operating system), and save them in different formats using the File Save as Save as type (or File format) or File → Export commands. The list of available formats is long: from PDF and HTML to the OpenDocument standard.

If you don’t have access to Microsoft products, you can use the free alternatives LibreOffice and OpenOffice, which also support various text and table file formats. On Windows, text documents can also be converted in a built-in WordPad editor, although it reads far fewer file types.

For macOS users, Apple’s office applications (Pages, Numbers, Keynote) recognize and save documents in many different formats.

As for graphics files, things are even simpler. Built-in operating-system tools can help convert images from PNG to JPEG. On Windows, just use this command in Paint: File Save as. macOS users don’t even need to open any programs — just right-click the image in Finder and select Quick Actions → Convert Image. The window that opens gives you a choice of format (PNG, JPEG, HEIF) and converted image size.

If the above conversion options aren’t enough — for example, you’re handling audio/video files or specific file formats — look for offline tools with a solid reputation as free and open-source software (FOSS).

For video (and many audio) formats, check out Handbrake (Windows, macOS, Linux) and Shutter Encoder (Windows, macOS, Linux); for audio, try Audacity, and for images, ImageMagick (Windows, macOS, Linux).

Most multimedia converters simply add a graphical interface to FFmpeg, perhaps the top tool for converting multimedia formats. Its only drawback (which for some is a plus) is that it only works from the command line.

If you’re fine with the command line, FFmpeg is the obvious choice (but, being fine, you’ve probably got it installed already). Another great choice for command line fans is Pandoc — a versatile converter of text and markup formats. Incidentally, under Extras on the Pandoc website, you can find many third-party utilities for adding a graphical interface to this converter, or embedding it in other editors, services, or even operating systems.

All of the above converters are FOSS (free and open-source software), and support at least the most popular operating systems: Windows, macOS, Linux.

When choosing other offline converters, make sure that the conversion really does take place locally — many tools simply provide an interface to online converters and still send your source files to a server. This is very easy to check by disconnecting from the internet before converting. If the tool doesn’t work, it’s not an offline converter.

How to convert files online as safely as possible

Sometimes there’s no avoiding online converters — for example, you were sent a file in some highly exotic or outdated format. The next section looks at how to minimize threats when converting files online.

Alas, it’s impossible to guarantee confidentiality when using an online converter. Its creators can write whatever they want in the site’s policies, but you’ll never know what actually happens to your uploaded data. Therefore, the golden rule is: never convert sensitive information online.

If you have a Google account (and who doesn’t?), you can upload the file you want to convert to Google Drive (most office formats are accepted), right-click, and open it in Google Docs/Sheets/Slides, then download it in a different format. Among the pluses, this method also works on mobile devices — although in this case it’s more convenient to open the file in the relevant Google editing tool.

Another fairly safe way to convert either text or graphics files is Adobe’s online converter. You can even use it for free on a smartphone — but there’s a catch: all uploaded data gets stored on Adobe’s servers, making this method unsuitable for confidential files.

Follow these rules to ensure maximum safety when converting files online:

  • Use reputable online converters.
  • Open the converter site in a new browser window in Incognito mode; this will reduce the amount of information collected about you — but not down to zero.
  • Use a reliable VPN to hide your real IP address from the converter site.
  • Review the online converter’s privacy policy to understand how your data will be handled. Make sure the service does not collect, store, or transfer information without your consent — or at least claims not to.
  • Check that the files for conversion do not contain confidential information.
  • Scan the converted files with an antivirus. Be very wary if the converter site wants you to download the result in an archive — especially a password-protected one, since this is the most common way to conceal a virus from security software. If you don’t have any protection software on your device (heaven forbid), you can scan the downloaded file using our online file checker.
  • Avoid unverified sites that require registration and payment details.

Unzip this

Lastly, a small life-hack that few people know about. Sometimes you don’t need to convert a file to another format at all, but just extract information from it; for example — pull images out of a text document or presentation in their original format. Doing this even with native editors is usually time-consuming and inconvenient — you have to export the images one by one, and the editors might change their size or compress them, deteriorating the picture quality.

But there’s a way round this. The secret is that files of many formats are nothing more than a compressed folder with subfolders that store “pieces of the puzzle”: text, images, embedded videos, and the like. And it’s all zipped. That means that almost all office-suite files are ZIPs with the extension changed to DOCX, PPTX, PAGES, etc.

To extract all the contents from this “archive”, you simply need to rename the file, changing its extension to ZIP, and then unzip it. The result will be a folder with subfolders in which all the “ingredients” of the original document are neatly laid out.

So, if you come across an unknown file format, first of all scan it for viruses with a reliable security solution, then make a copy of it, change the extension to ZIP (in macOS, if the file extension is hidden, you may need to press +I to change it), and try to unzip the file — in many cases this will work. Next, have a rummage around in the resulting folder — you’ll find all sorts of goodies!

Kaspersky official blog – ​Read More

Google OAuth: abandoned domains attack | Kaspersky official blog

Just over a year ago, in our post entitled Google OAuth and phantom accounts, we discussed how using the “Sign in with Google” option for corporate services allows employees to create phantom Google accounts that aren’t controlled by the corporate Google Workspace admin, and continue to function after offboarding. Recently, it was discovered that this isn’t the only issue with OAuth. Due to weaknesses in this authentication mechanism, anyone can gain access to data of many defunct organizations by re-registering domains they abandoned. In this article, we explore this attack in more detail.

How authentication works with “Sign in with Google”

Some organizations may believe that “Sign in with Google” provides a reliable authentication mechanism backed by Google’s advanced technology and vast user monitoring capabilities. However, in reality, the Google OAuth authentication check is quite basic. It generally comes down to verifying that a user has access to an email address linked to an organization’s Google Workspace.

Moreover, as mentioned in our previous article on Google OAuth, this doesn’t necessarily have to be a Gmail address — Google accounts can be linked to any email address. Therefore, the security of accessing a corporate service via “Sign in with Google” is only as strong as the security of the email linked to the Google account.

Now let’s get into the details…

When authenticating a user in a corporate service, Google OAuth sends the following information to that service:

Description of Google OAuth ID token payload

In theory, the Google OAuth ID token includes a unique parameter called sub for each Google account. However, in practice, due to issues with its usage, services often only check the domain and email address. Source

Google recommends that services use the sub parameter, claiming that this identifier is unique and constant for the user account — unlike an email address. But in reality, the sub parameter isn’t always constant; for a small number of users, it changes over time, which can cause authentication failures. As a result, services tend not to use it, and instead verify only the domain and email address — contrary to Google’s recommendations.

“Sign in with Google” using an abandoned domain

Thus, an attacker can gain unauthorized access to a company’s services by simply having access to an email within that company’s domain. This is particularly easy to do if the company has ceased operations and abandoned its domain: anyone can register it for themselves.

The attacker can then create any email address under this domain, and use it to log into one of the services the company likely used. Some of these services may display a list of real users linked to the organization’s workspace — even if the address entered by the attacker was never actually used.

With this list — and complete control over all email addresses within the abandoned domain — the attacker can reconstruct the original Google Workspace of the defunct company. In this way, attackers can gain access to the profiles of former employees in services that used Google OAuth for authentication.

How serious a problem is this?

Dylan Ayrey, the researcher who discovered this Google OAuth vulnerability (and the previous issue with phantom accounts), aimed to demonstrate the severity of potential consequences. Using data from Crunchbase, Ayrey compiled a list of over 100,000 terminated startups whose domains are now up for sale.

Ayrey purchased one of these abandoned domains and tested the feasibility of the attack. Among the corporate services he managed to access using this vulnerability were Slack, Zoom, Notion, ChatGPT, and HR systems.

Thus, with this relatively simple attack requiring minimal resources, an attacker can gain access to a wealth of confidential information, ranging from employee correspondence and notes to personal data from HR systems.

According to Ayrey’s estimates, around 50% of startups use Google Workspace. If we suppose that the average defunct startup had about 10 employees, we could be talking about hundreds of thousands of people and millions of vulnerable accounts.

Who’s responsible, and what can be done?

Ayrey dutifully notified Google of this vulnerability through its bug bounty program. He also suggested a long-term solution: creating truly permanent and unique identifiers for Google accounts and Google Workspace. However, his report was initially rejected, with the comment “no fix needed” and labeled as “fraud or abuse”!

However, a few months after Ayrey presented his findings at a hacker conference (!) the report was reopened, and he was awarded $1337. Notably, he received the same minimal reward for his previous discovery of the phantom Google accounts vulnerability.

According to Ayrey, Google promised to fix the vulnerability in Google OAuth, but didn’t specify when or how exactly they plan to do this. Therefore, the problem with the “Sign in with Google” mechanism remains an unresolved issue, for which no one is willing to take responsibility. Potential victims of this attack include former employees of defunct companies who no longer have control over their accounts. Worse still, there’s no one to hold accountable for the security of these accounts anymore.

The wise move here would be for companies to take preventive measures in advance. However, very few startups seriously plan for their own demise — let alone what will happen afterward.

Fortunately, defending against this Google OAuth vulnerability is relatively straightforward. There are two non-mutually exclusive options:

  • Use a traditional login-and-password combo instead of “Sign in with Google”, and always enable two-factor authentication.
  • If your company ceases operations, don’t abandon workspaces in corporate services; delete them instead. This is quite easy to do; for example, here are the instructions for Slack and Notion.

Kaspersky official blog – ​Read More

Sellers can get scammed too, and Joe goes off on a rant about imposter syndrome

Sellers can get scammed too, and Joe goes off on a rant about  imposter syndrome

Welcome to this week’s edition of the Threat Source newsletter. 

Hello again my friends! Geez, it’s been a year am I right? Lemons its February you say?! Oof.  

Imposter syndrome. You’ve heard the term I’m sure, but what is it? Basically: imposter syndrome is the persistent feeling of self-doubt and fear of being exposed as a fraud despite clear evidence of competence and success. In cybersecurity, and in especially in Talos, you will find imposter syndrome in abundance.

In Talos you’re in rooms of incredibly bright and smart people. They are paragons of what it is to be hackers, and you cannot help but often admire the amazing quality of their work. It is truly an amazing team that does important work to help save the world from the bad guys.  

The downside? You’re in a room of bright and smart people. Some can reverse malware binaries while juggling chainsaws. Some are polyglots who can at length tell you the linguistic nuances of Mesopotamian verbs and loanwords and have eidetic memory of every ransomware cartel ever. I personally know one is an amazing, accredited musician and actually hacked a prison to open its jail cells on a pentest. 

How do you not compare yourself to the talents, skills, and achievements of wonderfully smart and talented people? It’s tough not to. Comparison is truly the thief of joy.  

The truth is – in cybersecurity and in places like Talos and elsewhere, you will be constantly assailing yourself with self-doubt of achievement and belonging. The anxiety, stress, and burnout from imposter syndrome are a real thig.  

So what do we do? First, look at your achievements. You are where you are because others saw value in your work. Second, challenge those negative self-thoughts. Easier said than done, I know, but hear me out. Use mentors and peer group support to help challenge those negative self-thoughts.

And lastly, be kind to yourself. Cybersecurity is a hard gig. It’s a gigantic amount of technical and non-technical information and we all feel the pressure to absorb, understand, and master it and all its nuances. That’s not possible of course, but we cyber folks are wired differently. If you can walk away with 1% more information than you had yesterday, that’s a win. Take it. Just be kind to yourself, ok? 

I want to take a moment to address a specific audience of readers. All the U.S.  federal workers who have been affected by reduction in force (RIFs), my heart goes out to you. This is an unearned hardship. I wish I had a magic wand to wave to alleviate the stress and trauma of a sudden event like this. I know it’s truly awful. If I can offer any guidance or mentorship for private sector cybersecurity, reach out. I may not have all the answers, but I will do what I can. Stay strong.  

The one big thing

Boy howdy is this a big one – scams! Look, the average person isn’t going to get smoked by Salt/Volt Typhoon, or wrestle with a financial threat actor like a ransomware cartel. But you absolutely have bought and sold things online.  We break down seller abuse – that is, ways to trick sellers into be defrauded out of money. We always picture scams as the seller doing the defrauding, but the reverse is just as true.  

Why do I care?

You want to keep money in your pocket, and not be the victim of a scam. They adversaries here know the systems they are manipulating quite well here and have fine tuned the art of fraud. It’s important to understand the seller experience as much as the buyer experience in order understand these kinds of frauds and thefts.

So now what?

Understand the threat landscape for seller/buyer fraud, and hopefully this work can help keep money in your pocket and not a victim of theft. Pay attention to URL’s you’re asked to click, and clever re-directs to scamming websites. Now you know. And as G.I. Joe said – knowing is half the battle.  

Top security headlines of the week

Sensitive financial and health data belonging to millions of veterans and stored on a benefits website is at risk of being stolen or otherwise compromised, according to a federal employee tasked with cybersecurity who was recently fired as part of massive government-wide cuts. (AP News

Attackers are wielding a novel Linux backdoor against the education and public sectors in the US and Asia that demonstrates particularly stealthy ways to avoid both detection and as well as deletion from a system. (Dark Reading

Hackers claim to have published a trove of sensitive data belonging to IVF patients after a cyberattack on Genea, one of Australia’s largest fertility providers. (Tech Crunch

Can’t get enough Talos?

The Beers with Talos B-team comes in swinging hard on cyber security careers. I get a little spicy, and you want to hear it. Now that I know we bleep certain words, I anticipate a 50% uptake in more spicy content. You can all blame Hazel for this.

New research: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A blueprint for protecting major events – Yuri Kramarz joins Talos Takes to discuss his experience in cybersecurity and threat hunting for some of the world’s biggest sporting events.

Upcoming events where you can find Talos

RSA (April 28-May 1, 2025)  San Francisco, CA  

CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 

Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

Most prevalent malware files from Talos over the past week

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

MD5: 2915b3f8b703eb744fc54c81f4a9c67f  

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

Typical Filename: VID001.exe  

Detection Name: Simple_Custom_Detection

Cisco Talos Blog – ​Read More

Enriching ANY.RUN’s TI Feeds with Unique IOCs: How It Works

Threat Intelligence Feeds from ANY.RUN provide a continuously-updated stream of the latest indicators of compromise. They enable SOC teams to quickly detect and mitigate attacks, including the emerging malware and persistent threats.

But how do ANY.RUN’s feeds get enriched with fresh and, most importantly, unique indicators that cannot be found elsewhere?

Let’s find out.

About ANY.RUN’s Threat Intelligence Feeds

ANY.RUN’s Threat Intelligence (TI) Feeds offer an extensive collection of Indicators of Compromise (IOCs) designed to enhance the threat detection capabilities of security systems. These feeds provide detailed information beyond the basics, including malicious IPs, URLs, domains, file hashes, and links to actual analysis sessions. This comprehensive data helps you understand how threats operate and behave in real-world scenarios.

Where does this data come from?

An international community of over 500,000 researchers and cybersecurity pros who upload and analyze real-world malware and phishing samples every day to ANY.RUN’s Public submissions repository.

With TI Feeds from ANY.RUN, organizations can:

  • Expand and speed up threat hunting with enriched up-to-date data 
  • Enhance alert triage and prioritize most urgent issues. 
  • Improve incident response thanks to better understanding threats and their behaviors. 
  • Proactively defend against new and evolving threats.   

Give TI Feeds from ANY.RUN a try
Start with a free demo sample in STIX or MISP 



Integrate via API


IOCs Provided by ANY.RUN TI Feeds 

TI Feeds contain indicators along with additional info like the threat score, which signals the reliability:

  • 100: Highly reliable
  • 50: Suspicious
  • 75: Trustworthy

Here are the indicators you can find in ANY.RUN’s TI Feeds.

IP addresses

Compromised IPs instantly signal of cybercriminal operations, they are often linked to Command-and-Control (C2) servers or phishing campaigns. By analyzing IP addresses, cybersecurity teams can proactively block suspicious traffic and analyze attack patterns and tactics.  

Domains  

They provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.  

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes. 

URLs  

URL addresses serve as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content.   

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data. 

How ANY.RUN’s TI Feeds Are Enriched with Unique IOCs 

There are several features of Threat Intelligence Feeds stand out, but the one of the key factors is the way we collect indicators. Here are the two methods we use to get the latest and the most accurate indicators.

IOCs Extracted from Malware Configurations 

TI Feeds are fueled by the data from ANY.RUN’s Interactive Sandbox. Which provides, among others, the option to extract malware configurations from memory dumps.

Configurations are crucial for understanding malware’s behavior and functions, tying it to a family and an adversary, and identifying all types of Indicators of Compromise (IOCs), which are then used for detection purposes. Such IOCs are particularly valuable as they contain hardcoded details such as command and control (C2) server addresses, encryption keys, and specific attack parameters.

Take a look at this sandbox session.

By opening the MalConf tab we can observe the extracted configuration of an AsyncRAT sample. One of the pieces of data found here is the malicious IP address used by the malware for communication with its C2 server.

ANY.RUN automatically extracts this crucial indicator and sends it to TI Feeds, which then get fed into the clients’ detection systems. This helps them identify the threat early and minimize its potential impact.

Want to integrate TI Feeds from ANY.RUN?
Reach out to us and we’ll help you set it up 



Contact us


IOCs Detected with Suricata IDS Rules 

Indicators detected with Suricata rules are valuable because they focus on identifying patterns in network traffic rather than specific details like IP addresses or domains. This means Suricata can recognize threats even when attackers change their infrastructure.

Thanks to ANY.RUN’s extensive integration of Suricata rules for traffic analysis, we can consistently extract fresh network indicators of numerous malware families and cyber threats.

Check out this report, which shows analysis of a FormBook sample.

Suricata rule triggered after detecting FormBook’s C2 traffic

When we navigate to the Threats tab and then click on one of the triggered Suricata rules, we can see that the system has detected connection to domain controlled by the attackers.

You can see the domain name used by FormBook

As you expect, this domain is sent directly to TI Feeds, strengthening our clients’ defense capabilities.

Integrate ANY.RUN’s TI Feeds 

ANY.RUN offers demo feeds samples in STIX and MISP formats 

You can test ANY.RUN’s Threat Intelligence Feeds in STIX and MISP formats completely for free by getting a free demo sample here

ANY.RUN also runs a dedicated MISP instance that you can syncronize your server with or connect to your security solutions. To get started, contact our team via this page

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post Enriching ANY.RUN’s TI Feeds with Unique IOCs: How It Works appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

  • Cisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing, telecommunications and media, delivering Sagerunex and other hacking tools for post-compromise activities. 
  • Talos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has actively conducted cyber espionage operations since at least 2012 and continues to operate today. 
  • Based on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we attribute these campaigns to the Lotus Blossom group with high confidence.  
  • We also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints.  
  • Lotus Blossom has also developed new variants of Sagerunex that not only use traditional command and control (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail as C2 tunnels. 

A multi-campaign, multi-variant backdoor operation  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Talos assesses with high confidence that Lotus Blossom (also referred to as Spring Dragon, Billbug, Thrip) threat actors are responsible for these campaigns. The group was previously publicly disclosed as an active espionage group operating since 2012. Our assessment is based on the TTPs, backdoors, and victim profiles associated with each activity. Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in sectors such as government, manufacturing, telecommunications and media in areas including the Philippines, Vietnam, Hong Kong and Taiwan.  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Our investigation uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on telecommunications and media companies, as well as many Sagerunex variants persistent in the government and manufacturing industries. These new variants no longer rely on the original Virtual Private Server (VPS) for their C2 servers. Instead, they use third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail service as C2 tunnels to evade detection. In our malware analysis section, we will delve into the technical specifics of each Sagerunex backdoor variant and illustrate their configurations. Some configurations reveal the possible original file paths of the malware, providing insights into the threat actor’s host paths. 

  

We also compiled a timeline for the evolution of Sagerunex by analyzing data from the campaigns we observed, third-party reports, malware compilation timestamps, and the timestamps of victim uploads on the C2 service: 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Attributing the attacks to Lotus Blossom 

Talos has identified strong evidence to attribute these campaigns to the Lotus Blossom group, primarily due to the presence of the Sagerunex backdoor within these operations. Sagerunex is a remote access tool (RAT) assessed to be an evolution of an older Billbug tool known as Evora. Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.  

 

We also observed the Sagerunex backdoor employ various network connection strategies to ensure it remains under the actor’s control. Despite the development of three distinct variants, the foundational structures and core functionalities of the backdoor remain consistent. These consistent elements enable us to confidently categorize all identified variant backdoors as part of the Sagerunex family.  

 

Moreover, the consistent patterns in victimology and the TTPs identified across these campaigns strongly support our attribution to the Lotus Blossom espionage group. This consistency, seen in the selection of targets and the methods employed, aligns with the known operational characteristics of Lotus Blossom, providing compelling evidence that these campaigns are orchestrated by this specific threat actor. 

Lotus Blossom’s latest attack chain  

We conducted research into the main elements of the attack including the specific functions of each malware strain and how Lotus Blossom managed to evade detection  for several months. We also observed the threat actor leverage a number of hacking and open-source tools to achieve their objectives. 

  • Cookie stealer tool: Pyinstaller bundle of a Chrome cookie stealer which is an open-source tool from github. Lotus Blossom used it to harvest Chrome browser credentials.   
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

  • Venom proxy tool: A proxy tool developed for penetration testers using Go language. The threat actor customized this Venom tool and hardcoded the destination IP address in each activity. 
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

  • Adjust privilege tool: Enabled the threat actor to retrieve another process token and adjust privilege for the launch process.  
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

  • Archiving tool: A customized compressed and encrypted tool which enabled the attacker to steal each file or entire folder to the specific file path with protection. For example, the tool archived Chrome and Firefox browser cookies folders. 
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

  • Port relay tool: The threat actor named this tool “mtrain V1.01” which is a modified proxy relay tool from HTran. The tool allowed the threat actor to relay the connection from the victim machine to the internet. 
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

  • RAR tool: An archive manager that the threat actor used to archive or zip files. 

Extended persistence   

Lotus Blossom frequently utilizes the Impacket tool to execute remote processes and commands within the victim’s environment, consistent with known Lotus Blossom TTPs. Once they gain access to a target, their operations typically unfold over multiple stages. Each stage is carefully executed, indicating a well-planned strategy aimed at achieving long-term objectives. This multi-stage approach enables them to maintain a presence in the network for extended periods, often going undetected for several months. Below is an example of overall attack chain visualization.  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

In the compromised environment, the threat actor executes various commands such as “net,” “tasklist,” “quser,” “ipconfig,” “netstat,” and “dir.” These commands are used to gather detailed information about user accounts, directory structures, process activities, and network configurations. Following the initial reconnaissance, the actor assesses whether the compromised machine can connect to the internet. If internet access is restricted, then the actor has two strategies: using the target’s proxy settings to establish a connection or using the Venom proxy tool to link the isolated machines to internet-accessible systems. Additionally, we have noticed that the actor frequently deposits backdoor and hacking tools in the “publicpictures” subfolder. This location is publicly accessible to all users and, unlike system folders, is not hidden or protected, making it a strategic choice for evasion and continued access. 

 

Besides running commands for discovery and lateral movement, we also observed Lotus Blossom use specific commands to install their notorious Sagerunex backdoor within the system registry, configuring it to run as a service. Presented below are the command lines the actor used to install the backdoor as a service. 

reg add HKLMSYSTEMCurrentControlSetServicestapisrvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowstapisrv.dll /f 

reg add HKLMSYSTEMCurrentControlSetServicestapisrv /v Start /t REG_DWORD /d 2 /f 

reg add HKLMSYSTEMCurrentControlSetServicesswprvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowsswprv.dll /f 

reg add HKLMSYSTEMCurrentControlSetServicesswprvParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowssystem32swprv.dll /f 

reg add HKLMSYSTEMCurrentControlSetServicesappmgmtParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowsswprv.dll /f 

reg add HKLMSYSTEMCurrentControlSetServicesappmgmt /v Start /t REG_DWORD /d 2 /f 

reg add HKLMSYSTEMCurrentControlSetServicesappmgmtParameters /v ServiceDll /t REG_EXPAND_SZ /d c:windowssystem32appmgmts.dll /f 

 

The actor used the following commands to verify that the backdoor can successfully run as a service.  

reg query HKLMSYSTEMCurrentControlSetServicesswprvParameters 

reg query HKLMSYSTEMCurrentControlSetServicestapisrvParameters 

reg query HKLMSYSTEMCurrentControlSetServicesappmgmtParameters 

 

Sagerunex malware analysis 

In this section, we provide in-depth technical analysis of the multiple variants of the Sagerunex backdoor. Our exploration will begin with a detailed examination of a particular Sagerunex backdoor variant that exhibits a high degree of code similarity and workflow resemblance to those described in other vendors’ blog posts. This analysis will help establish connections and highlight the shared characteristics observed across different Sagerunex variants.  

 

Next, we will shift our focus to another intriguing variant of the Sagerunex backdoor, which utilizes Dropbox as its C2 server. This unconventional choice of a third-party cloud service illustrates the threat actor’s adaptability and efforts to evade detection. Additionally, we have identified another variant of the Sagerunex backdoor that leverages the Zimbra open-source webmail service for its C2 operations. This finding further underscores the diverse strategies Lotus Blossom employs to maintain control and persist within compromised environments. 

 

We examined the loader code similarity to identify numerous variants of the Sagerunex backdoor. By analyzing the loader and the behavior of the Sagerunex backdoor, we can classify the malware into the Sagerunex family. Despite the loader’s compact size and primary function of injecting the Sagerunex backdoor into memory, we have identified two distinct loader patterns. The first pattern involves the decryption algorithm: the loader embeds and encrypts the Sagerunex backdoor, utilizing a customized decryption process to extract it. The second pattern is the “servicemain” function, where the loader verifies its environment, ensuring it can only be executed as a service.  

 

Furthermore, we also observed the actor employ VMProtect, a software protection tool, to obfuscate Sagerunex code and evade detection by antivirus products. These sophisticated techniques are used to maintain the persistence of Sagerunex backdoor variants. 

 

Sagerunex malware similarity 

During its initial execution, Sagerunex conducts several checks before sending a beacon to its C2 server. These verification functions are present across all Sagerunex variants. The initial check involves searching for a debug log file in the temp folder. Regardless of whether this debug log file is present, all Sagerunex variants will proceed with execution. If the debug log is found, the backdoors will encrypt the debug strings along with a timestamp and store them in the log file. Below is a screenshot displaying the debug file names for all Sagerunex variants. From left to right, the versions include: the “Beta” version, featuring clear debug strings within its code flow; the original version, previously discussed in another blog post and the code flow is same as Beta version; the Dropbox and Twitter versions, which utilize these third-party cloud services as C2 channels; and finally, the Zimbra version, which employs the Zimbra webmail service for C2 purposes. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

The second check involves verifying the existence of the backdoor configuration file within a specific directory and under a designated filename. Below, we provide examples of different versions of the Sagerunex configuration file paths and filenames uncovered during our research. We suspect there may be additional directories that remain undiscovered. These are likewise ordered in the same manner as the preceeding paragraph.  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Subsequently, the Sagerunex backdoor examines the system time to decide whether to execute its main function immediately or delay its execution. Each Sagerunex variant possesses its own time-check logic. For example, one variant checks if it operates during working hours (e.g. 10:00 am to 7:00 pm), while another ensures that the system hours do not exceed the system minutes. Despite these slight variations in check strategies among the Sagerunex backdoors, they all utilize the same pause API, “WaitForSingleObject,” and uniformly wait for 300,000 milliseconds before proceeding again with time-check logic. 

 

A final shared feature among all Sagerunex variants is their approach to proxy configuration, which enables the backdoor to successfully connect to the C2 server. While the malware includes several proxy-related functions, not all variants utilize every available option. Some rely solely on web proxy “autodiscovery” for accessing proxy services. Additionally, we identified hardcoded proxy servers, along with proxy usernames and passwords, within the Sagerunex configuration files. This discovery strongly supports our assessment that Lotus Blossom’s activities are intended for espionage purposes.  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Beta version of Sagerunex 

The Beta version of Sagerunex closely resembles the Sagerunex backdoor discussed previously in this post. However, this Beta version includes additional debug strings featuring more complete sentences, which is why we have called it the Beta version of Sagerunex. For example, as shown in the screenshot below, while typical Sagerunex debug strings often use “0x00” as a prefix followed by error or behavior shortcut strings, the Beta version offers more detailed information, such as “Online Fail! Wait for %d minsrn.” Furthermore, this Beta version also provides us with a clearer understanding of Sagerunex workflow. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Fig. The left side is the Beta version of Sagerunex and the right side is typical Sagerunex. 

 

Once all the checks are bypassed, the Beta version of Sagerunex gathers information from the target host, including the hostname, MAC address, and IP address. It also queries the public IP address using “api.ipaddress[.]com.” This collected information is then encrypted and sent back to the C2 server. Upon receiving the encrypted data, Sagerunex decrypts it, successfully bringing the backdoor online and enabling the threat actor to control the target. Below are the debug strings indicating successful online status and the backdoor command functions. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Fig. The left side is the online debug strings, and the right side is backdoor command functions.  

The Beta version of Sagerunex backdoor overall infection chain is visualized below. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Dropbox & Twitter version of Sagerunex 

Talos also discovered another variant of Sagerunex backdoor that uses Dropbox and Twitter API as C2 services. After bypassing the initial checking steps, this backdoor variant retrieves the necessary Dropbox or Twitter tokens to successfully bring the backdoor online. Once the backdoor sends a beacon message and receives a response ID, it evaluates the ID number to determine subsequent actions. If the ID is less than 16, the function will return, prompting the backdoor to send another beacon message and wait for a new ID. If the ID is between 16 and 32, the backdoor proceeds to collect host information and execute paired backdoor command functions. After gathering the information and executing the commands, the backdoor encrypts and archives all collected data, then transmits it back to Dropbox or Twitter. When the ID received equals 39, the backdoor retrieves data from Dropbox files or Twitter status updates to confirm the status of the backdoor service. Below are the screenshots of Dropbox and Twitter connection testing function and this variant’s command functions. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Fig. The left side is the online debug strings, and the right side is backdoor command functions. 

 

Additionally, our reverse engineering of this version of the Sagerunex backdoor revealed one intriguing finding. We discovered that the configuration file for this version not only includes Dropbox tokens and Twitter tokens but also reveals its original file path, which we believe may originate from the actor’s machine. Below, we provide a list of all the file paths we identified, along with a screenshot of the configuration file. 

  • C:UsersaaDesktopdpst.dll 
  • C:Users3DesktopDT-1-64-Gmsiscsii.dll 
  • C:UsersbalabalaDesktopswprve64.dll 
  • C:Userstest04Desktopadtsvc32.dll 
  • C:UsersUSERDocumentsdtj32dj32.dll 
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Moreover, our observations of the timestamps on Dropbox files and Twitter content indicate that this version of the backdoor was predominantly active between 2018 and 2022, and we assess this version of backdoor might still be active now. This timeframe suggests a consistent pattern of use over several years, highlighting the longevity and persistence of this threat in the wild. Below is an example where we extract the file details from one of the Dropbox accounts. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

The Dropbox & Twitter version of Sagerunex backdoor infection chain is visualized below. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Zimbra webmail version of Sagerunex 

The final variant of the Sagerunex backdoor Talos discovered employs the Zimbra API to connect to a legitimate Zimbra mail service, using it as a C2 channel to exfiltrate victim information. Like other versions, this Sagerunex variant performs all the necessary checks before establishing its initial beacon connection. It uses the Zimbra webmail URL, along with a username and password, to login and obtain an authentication token. Upon successfully acquiring this token, the backdoor synchronizes the account’s folders and documents and utilizes the search function API to verify the connection’s functionality. Once the connection and synchronization processes are complete, the backdoor gathers host information, encrypts the information, and saves the data as “mail_report.rar”. The rar file is being attached to a draft email the user’s email account draft folder. With these steps finalized, the beacon connection is successfully established. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the Zimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim machine. If there is a legitimate command order content in the mail box, the backdoor will download the content and extract the command, otherwise the backdoor will delete the content and wait for a legitimate command. Once finished executing the command, the backdoor will package the command result and also save the data as “mail_report.rar”. The rar file is being attached to a draft email the user’s email account trash folder. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Fig. The left side is the Zimbra status path, and the right side are the backdoor command functions.  

Talos observed that this version of the Sagerunex backdoor has been active since 2019, and there are still several Zimbra mailboxes receiving the compromised machine beacon information.  

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

The Zimbra version of Sagerunex backdoor infection chain is visualized below. 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Coverage 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64511, 64510, 64509. 

ClamAV detections are also available for this threat: 

Win.Backdoor.Sagerunex-10041845-0 

Win.Tool.Mtrain-10041846-0 

Win.Tool.Ntfsdump-10041854-0 

Win.Backdoor.Sagerunex-10041857-0 

 

Indicators of compromise (IOCs) 

Campaign code 

 st
qaz
test
cmhk
dtemp
0305
4007
4007_new
Jf_b64_t1
Ber_64
0817-svc64
NSX32-0710
Nsx32-0419
NJX32-0710
WS1x321014
pccw-svc32
CTMsx32-0712

IOCs for this research can also be found at our GitHub repository here

Cisco Talos Blog – ​Read More

How smartphones actually track you | Kaspersky official blog

You’ve probably heard the rumor — our smartphones are always listening. But the truth is, they don’t need to. The information shared with data brokers by virtually every app on your smartphone — from games to weather apps  is more than enough to create a detailed profile on you. For a long time, “online tracking” had meant that search engines, ad systems, and advertisers all knew which websites you visited. But since smartphones appeared on the scene, the situation has become much worse: now advertisers know where you go physically and how often. So, how do they do it?

Every time any mobile app prepares to show an ad, a lightning-fast auction takes place to determine which specific ad you’ll see based on the data sent from your smartphone. And although you only see the winning ad, all the participants in the auction receive data about the potential viewer — that is, you. A recent experiment showed just how many companies receive this information, how detailed it is, and how ineffective built-in smartphone features like “Do Not Track” and “Opt Out of Personalized Ads” are at protecting users. Nevertheless, we still recommend some protection methods!

What data do advertisers receive?

Every mobile app is built differently, but most start “leaking” data to ad networks even before displaying any ads. In the experiment mentioned earlier, a mobile game immediately sent an extensive array of data to the Unity Ads network upon launch:

  • Information about the smartphone, including OS version, battery level, brightness and volume settings, and available memory
  • Data about the network operator
  • Type of internet connection
  • Full IP address of the device
  • Vendor code (the game developer’s identifier)
  • Unique user code (IFV) — an identifier linked to the game developer and used by an ad system
  • Another unique user code (IDFA/AAID) — an ad identifier shared by all apps on the smartphone
  • Current location
  • Consent for ad tracking (yes/no)

Interestingly, the location is transmitted even if the service is disabled on the smartphone. It’s approximate though, calculated based on the IP address. However, with publicly available databases matching physical and internet addresses, this approximation can be surprisingly accurate — down to the city district or even the building. If location services are enabled and allowed for the app, precise location data is transmitted.

In the same experiment, the consent for ad tracking was marked as “User Agreed”, even though the experiment’s author did not provide such consent.

Who gets the data, and how often?

The data stream is sent to all ad platforms integrated into the app. There are often several such platforms, and a complex algorithm determines which one will be used to show the ad. However, some data is shared with all connected networks — even those that aren’t currently showing ads. In addition to the above-mentioned Unity (whose ad platform generates 66% of revenue for developers using this game engine), other major platforms include those of Facebook, Microsoft, Google, Apple, Amazon, and dozens of specialized companies like ironSource.

Next, the ad network currently displaying ads in the app sends a large set of user-data to a real-time bidding system (RTB). Here, various advertisers analyze the data and bid to display their ads, all at lightning-fast speeds. You view the winning ad, but information about your location, combined with the exact time, IP address, and all other data, is shared with every auction participant. According to the experiment’s author, this data is collected by hundreds of obscure firms, some of which may be shell companies owned by intelligence agencies.

This video from the experiment shows how connections to ad servers were made dozens of times per second, and even Facebook received data despite the fact that no Meta apps were installed on the experimenter’s smartphone.

The illusion of anonymity

Ad-network owners love to claim that they use anonymous and depersonalized data for ad targeting. In reality, advertising systems go to great lengths to accurately identify users across different apps and devices.

In the data set mentioned above, two different user codes are listed: IFV and IDFA/AAID (IDFA for Apple, AAID for Android). A separate IFV is assigned to your device by each app developer. If you have three games from the same developer, each of these games will send the same IFV when showing ads. Meanwhile, apps from other developers will send their own IFVs. The IDFA/AAID, on the other hand, is a unique advertising identifier assigned to the entire smartphone. If you’ve agreed to “ad personalization” in your phone’s settings, all games and apps on your device will use the same IDFA/AAID.

If you disable ad personalization, or decline consent, the IDFA/AAID is replaced with zeros. But IFVs will continue to be sent. By combining the data transmitted with each ad display, advertising networks can piece together a detailed dossier on “anonymous” users, linking their activity across different apps through these identifiers. And as soon as the user enters their email address, phone number, payment details, or home address anywhere — such as when making an online purchase — the anonymous identifier can be linked to this personal information.

As we discussed in our article on the Gravy Analytics data leak, location data is so valuable that some companies posing as ad brokers are created solely to collect it. Thanks to IFV — especially IDFA/AAID — it’s possible to map out the movements of “Mr. X” and often de-anonymize him using just this data.

Sometimes, complex movement analysis isn’t even necessary. Databases linking ad identifiers to full names, home addresses, emails, and other highly personal details can be simply sold by unscrupulous brokers. In such cases, detailed personal data and a comprehensive location history form a complete dossier on the user.

How to protect yourself from ad tracking

In practice, neither strict laws like the GDPR nor built-in privacy settings provide complete protection against the tracking methods described above. Simply pressing a button in an app to disable ad personalization is not even a half-measure — it’s more like a tenth of a measure. The fact is, this only removes one identifier from the telemetry data, while the rest of your data is still sent to advertisers.

Cases like the Gravy Analytics data leak and the scandal involving the Datastream data broker demonstrate the scale of the problem. The ad-tracking industry is enormous, and exploits most any apps — not just games. Moreover, location data is purchased by a wide range of entities — from advertising firms to intelligence agencies. Sometimes, hackers obtain this information for free if a data broker fails to adequately protect their databases. To minimize the exposure of your data to such leaks, you’ll need to take some significant precautions:

  • Only allow location access for apps that genuinely need it for their primary function (e.g., navigation apps, maps, or taxi services). For example, delivery services or banking apps don’t actually need your location to function — let alone games or shopping apps. You can always manually enter a delivery address.
  • In general, grant apps the minimum permissions necessary. Do not allow them to track your activity in other apps, and do not grant full access to your photo gallery. Malware has been developed that can analyze photo data using AI, and unscrupulous app developers could potentially do the same. Additionally, all photos taken on your smartphone include geotags by default, among other information.
  • Configure a secure DNS service with ad-filtering functionality on your smartphone. This will block a significant amount of advertising telemetry.
  • Try to use apps that don’t contain ads. These are typically either FOSS (Free Open Source Software) apps or paid applications.
  • On iOS, disable the use of the advertising identifier. On Android, delete or reset it at least once a month (unfortunately, it cannot be completely disabled). Remember, these actions reduce the amount of information collected about you but don’t entirely eliminate tracking.
  • Where possible, avoid using “Sign in with Google” or other similar services in apps. Try to use apps without creating an account. This makes it harder for advertisers to collate your activity across different apps and services into a unified advertising profile.
  • Minimize the number of apps you have on your smartphone, and regularly delete unused apps — they can still track you even if you’re not actively using them.
  • Use robust security solutions on all your devices, such as Kaspersky Premium. This helps protect you from more aggressive apps, whose advertising modules can be as malicious as spyware.
  • In the Kaspersky settings in your smartphone, activate the Anti-Banner and Private Browsing options on iOS, or Safe Browsing on Android. This makes it significantly more difficult to track you.

If smartphone surveillance doesn’t concern you yet, here are some chilling stories about who is spying on us and how:

Kaspersky official blog – ​Read More

How to scan huge file storage | Kaspersky official blog

Scanning the hard drives of work computers is a simple daily procedure that happens without impacting the user or requiring any manual action. In the case of servers, however, things are more complex — especially if done in response to an incident, after which all company storage (perhaps tens of terabytes worth) need an unscheduled scan. What’s more, you need to ensure absolute data security and no noticeable drop in performance for users.

We’ve compiled a list of tips and precautions to save you time and prevent further incidents. All tips related to our products are using Kaspersky Endpoint Security as an example, but the same logic applies to other EPP/EDR security products.

Preliminary checks

Check the configuration of the computer that will perform the scan. Make sure that the OS is updated to the latest version and can connect to all disks being scanned and process the data correctly — that is: read long Unicode file names, handle very large files and files on case-sensitive partitions, and so on. To speed up the scan, use a computer with a powerful multicore CPU, generous memory, and fast local storage for temporary files.

Make sure that disk-access is fast. The computer should connect to all storage either directly (local storage) or through a fast network interface using a high-performance protocol (preferably SAN-type).

Check your backups. Although scanning should not affect stored data, it’s important to have a plan B in case of malware infection or file corruption. Therefore, carefully check the date and contents of the most recent backup of all data, consider when data-recovery drills were last performed, and generally make sure the current backup versions are usable. If current backups aren’t available, assess the risks and time frames, and possibly back up critical data before scanning.

Clarify the nature of the data on the disks and the storage specifications. This is to optimize the scan settings. Are the disks arranged in a RAID array? If so, what type? You need to decide whether to scan different disks in parallel, and whether this will boost performance. If the disks are accessible independently, consider parallel scanning from multiple computers. Here again, both access speed and server capacity are key. For a powerful computer limited mainly by access speed to different disks, you can run parallel scanning tasks on a single machine.

The nature of the data will greatly affect your decision. If the disks contain many heterogeneous files, or archives with a large number of files, scanning will require significant resources of all types: CPU, memory, temporary folders, etc. The load will be lower if large files in a safe format (video editing sources, database tables, backups/archives known to be untouched) make up a major part of what’s being stored.

Preparing for scanning

Schedule the scan time. Ideally, a weekend, nighttime, or other period when few users access the data. Then you can either completely remove the disks and servers to be scanned from public access, or warn users about possible system slowdown and be sure that only a very small group of people will be affected.

Make sure there’s enough free space on the disks. Scanning may involve unpacking archives and images, which sometimes requires a lot of space.

Check quarantine storage settings. If many infected and suspicious files are found, quarantine may overflow and older samples will be deleted. So it’s worth allocating plenty of space for quarantine.

Agree and enforce an exclusion policy. To reduce scan time, exclude resources that pose no risk and would take a very long time to scan. This category typically includes very large files (with the cutoff ranging from hundreds of megabytes to several gigabytes, depending on the situation), distribution kits, backups, other files that haven’t been modified since previous scans, and files that are known to be non-executable. However, the last category is not so clear-cut, as there can be malicious fragments hidden in plain text files and images. So it’s better to be safe than sorry and scan images as well.

 Delete temporary files and folders so you don’t waste time on them.

Scan settings

These recommendations should be adjusted in line with your prior assessments and the nature of the data, but the basic advice is:

  • Set the maximum amount of memory and CPU time for scanning, taking into account the server usage profile. If the server is unavailable to users during scanning, you can allocate up to 80% of CPU and memory resources — any higher and the computer may become sluggish. For servers that remain under normal load, these numbers should be significantly lower.
  • In our product settings enable iChecker and iSwift. These technologies speed up scanning of some file formats and exclude data that’s been unchanged since the last scan.
  • Here, you can also enable additional options to prevent overloading the system: ” Do not run multiple scan tasks at the same time” and “Scan only new and modified files”.
  • Disable scanning of password-protected archives; otherwise, password requests will cause the application to stop scanning.
  • Set the maximum size of files for scanning in accordance with what we discussed above.
  • Set the heuristic analysis level to medium.
  • Select actions for infected objects; quarantine will likely be the best choice.
  • Set the logging settings so that the logs contain sufficiently detailed information about scanned objects and scan results.

Performance settings are described in more detail on our support site: for Windows and for Linux.

Running the scan

Start by scanning a small partition or subset of files weighing no more than a terabyte. Evaluate the impact of the scan on server performance (especially important if it continues to serve users) as well as the total time taken, and check the logs for errors. If the scan seems to take too long, try to figure out from the logs what caused the bottleneck. Using this data, adjust the settings accordingly and schedule a “big scan”.

Even after the test, we don’t advise running a full scan of the entire data volume in one task. It’s better to create multiple scan tasks — each targeting only one of the many storage fragments, such as individual disks. This reduces the risk of a prohibitively long scan time, or a failed scan that has to be restarted from scratch.

In the basic scenario, these subtasks are run sequentially as they’re completed. But if the system configuration allows it, dividing the scan into multiple tasks will let you scan independent disks in parallel.

During scanning, monitor the system load and the scan progress so as to intervene in time in case of abnormal situations. And after each task is completed, be sure to drill down into the logs!

Kaspersky official blog – ​Read More

Learn to Analyze Real-World Cyber Threats with Security Training Lab

If you are a student, you might be several years away from getting a degree and a profession – and about a month away from becoming a malware analyst. The latter is made possible by ANY.RUN’s Security Training Lab.

There is no point in advertising a career in cybersecurity nowadays. Money talks louder: ransom sums, possible financial costs of operational disruption, and reputational losses hint that investing in cybersecurity teams is a wise solution for any business.   

Security Training Lab can be a step towards a specter of career paths that imply cybersecurity literacy and understanding of malware analysis. It also can be a valuable addition to an academic course on threat detection, malware analysis or other cybersecurity subjects.

So, let’s take a closer look at the program.  

What is Security Training Lab  

It is an interactive digital course on malware analysis produced by ANY.RUN. It comprises 30 hours of academic content on cyber threats, including written materials, video lectures, tasks and tests.

Learn more about Security Training Lab
 
ANY.RUN is a cybersecurity company with 9 years of experience in providing malware analysis and threat intelligence services to individual security researchers, Managed Security Service Providers (MSSPs), and SOC departments of the largest companies around the world. 

Security Training Lab stands out from other courses on malware analysis by focusing on teaching you practical skills with real-world examples of the latest cyber threats.

  • Comprehensive Learning: 30 hours of academic content with written materials, video lectures, interactive tasks, and tests.
  • Hands-On Experience: Full sandbox access with special plans for teachers and team licenses for students.
  • Real-World Practice: Learn through real-world threat samples and labs.
  • User-Friendly Platform: Easy-to-use and fast management system.
  • Community Support: Private Discord community with tips, lifehacks, and news

Try Security Training Lab
Get an individual quote or for your team 



Contact us


What Security Training Lab is Not 

Security Training Lab is not just a manual for ANY.RUN’s Interactive Sandbox. As part of the program, a student gets acquainted with a variety of professional tools and more importantly, with the key concepts and methods of cyber threat analysis and research.  

Skills You’ll Learn to Analyze Real-World Threats 

STL’s contents and structure 

In the course of Security Training Lab, you’ll acquire several key analytical skills, including, but not limited to, the following. 

Conducting Advanced Static Analysis

Static analysis examines a suspicious file without executing it. You will learn to understand the structure and the source code of executable files, the functions of Windows API, use file hashes to identify and track threats, and evaluate files’ entropy.

You will learn to use static analysis tools like DiE

This data defines whether a file is malicious, what its real functions are, how it behaves, and how exactly it threatens the target. 

Advanced static analysis implies disassembling malware’s code to see its structure, variables, loops, conditional operators, and other elements of the program, which helps to better understand the logic of its operation. 

During the course, you will practice using a free tool for advanced static analysis and will become able to navigate through the code, set breakpoints for debugging, change values in memory and registers, gaining full control over the program being analyzed. 

📋 Static Analysis Skills You’ll Learn
  • Dissecting binaries to extract indicators of compromise (IOCs)
  • Understanding and modifying assembly code for deeper analysis
  • Using disassemblers and decompilers to reconstruct malware logic

Dealing with Encryption in Malware 

The course will teach you to perform analysis of encrypted traffic

While encryption is a reliable shield to protect confidential data, it is also a tool in hackers’ hands that allows them to hide malicious activity and bypass protective mechanisms.  

You will learn to identify encryption and decrypt malware with practical examples 

You’ll discover the principles of encryption, different approaches to its implementation, the most popular encryption algorithms from XOR to RSA and RC4 with their strengths and weaknesses, and the basics of decryption. 
 
The acquaintance with encryption algorithms helps to detect the signs of software’s malicious nature: code obfuscation, encrypting network traffic for hiding activity or data for extortion. Knowing how data is decrypted allows one to bypass malware’s protection against analysis. 

🗝 Malware Decryption Skills You’ll Learn
  • Identifying and analyzing obfuscated and encrypted payloads
  • Extracting encryption keys and decrypting malicious payloads
  • Bypassing malware encryption techniques to reveal hidden threats

Identifying Malicious Behavior 

Understanding and predicting malware behavior is the main task of malware analysis. The more we know about the stack of current malicious capabilities, the easier it is to deal with future threats. 

A malware’s tactics and techniques shown in Interactve Sandbox

When executed, the malware generates files, establishes connections, and modifies processes. It also takes measures to avoid detection and analysis, maintain persistence, to hide its launch, and enhance its privileges.

These actions are traceable and can help to identify an ongoing attack, assist in the analysis process, or develop a cybersecurity strategy to protect against known malware strains. 

You will explore MITRE ATT&CK — a constantly updated database of attacker tactics and techniques — and practice using it in malware behavior analysis.  

🎯 Malware Behavior Analysis Skills You’ll Learn
  • Mapping malware actions to MITRE ATT&CK techniques
  • Detecting persistence mechanisms and evasion tactics
  • Using sandbox environments to log and analyze malware activity

Performing In-depth Dynamic Analysis 

Dynamic Malware Analysis module will teach you to use tools like x32/x64dbg

For dynamic analysis we need to watch malware in action, so we let it loose within a safe virtual machine environment. Basic dynamic analysis gives us a first glimpse of how the malware interacts with the system. Advanced dynamic analysis is like examining the behavior of a malware under a microscope: we get into the intricacies of the malicious code to understand its algorithms and find weaknesses.

One of the tasks on understanding dynamic analysis 

Security Training Lab will equip you with powerful tools for advanced dynamic analysis (API Monitor and x64dbg) and guide you through debugging and anti-debugging techniques. You will learn to combine debugging with static analysis to maximize its efficiency.

⚙ Dynamic Malware Analysis Skills You’ll Learn
  • Utilizing debugging tools to trace malware execution
  • Bypassing anti-analysis techniques used by advanced threats
  • Extracting runtime indicators and identifying malicious system modifications

Analyzing Script- and Macro-Based Attacks 

Malicious scripts require our close attention: they have become incredibly popular with attackers in recent years, mainly because they effectively bypass traditional endpoint defenses and are easy to obfuscate.  
 
Macros are small programs written in scripting languages and embedded in other applications. They get direct access to the Windows API, making them incredibly powerful both for legitimate use and for hackers. 

You will learn to analyze macros in malicious documents 

You will get to know the two main approaches to dissecting scripts — viewing the source code or dynamically executing it and observing it — and master ANY.RUN’s built-in tools for analyzing script-based malware and compiled malware that uses scripts. 

Malicious macros are given special attention since they are used in a number of real-world attack scenarios, and their code usually is heavily obfuscated which complicates analysis. You will learn to use tools like ANY.RUN can help you identify their behavior without resorting to tedious deobfuscation.

📄 Scripts and Macros Analysis Skills You’ll Learn
  • De-obfuscating malicious scripts to extract payloads
  • Analyzing PowerShell and JavaScript-based malware
  • Detecting macro-based threats in Office documents and emails

Get Access to Security Training Lab 

Interested in trying Security Training Lab yourself or bringing it to your educational institution?  

Send us a message and our team will get in touch to discuss your specific needs and provide a customized quote.

Get in touch with us
to learn more about Security Training Lab 



Contact us


Conclusion

Security Training Lab provides a comprehensive and hands-on learning experience for mastering malware analysis. Completing this course will equip you with essential skills to detect, analyze, and mitigate real-world cyber threats.

With in-depth knowledge and practical exercises, you will gain the confidence to navigate the ever-evolving landscape of cybersecurity threats and contribute effectively to digital defense strategies. 

For students looking to begin a career in cybersecurity, this course serves as a solid foundation. The skills you acquire will prepare you for roles such as malware analyst, security researcher, or SOC analyst, helping you take the first step toward a successful and impactful career in the field.

By mastering real-world threat analysis techniques, you will stand out in the job market and be ready to face the challenges of modern cybersecurity. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Learn to Analyze Real-World Cyber Threats with Security Training Lab appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Malware Traffic Analysis in Linux: Hands-on Guide with Examples

Network traffic analysis is one of the most effective ways to detect and investigate malware infections. By analyzing communication patterns, researchers and security teams can uncover signs of malicious activity, such as command-and-control (C2) connections, data exfiltration, or DDoS attacks. 

In this guide, we’ll explore how traffic analysis helps detect malware, the key tools used for this purpose, and real-world examples of Linux malware analyzed in ANY.RUN’s Interactive Sandbox

How Traffic Analysis Helps Detect Malware 

Some types of malware rely on network communication to receive commands, exfiltrate stolen data, spread across systems, or launch attacks. That’s why network traffic analysis is one of the most effective ways to detect and investigate malware infections. 

By looking at how data flows in and out of a system, you can reveal a variety of malicious activities that might otherwise go unnoticed. 

1. Distributed Denial-of-Service (DDoS) Attacks 

Some malware turns infected devices into zombies within a botnet, instructing them to flood a target server with requests. This can cause service disruptions, slow down websites, or even take entire networks offline. 

☝ Signs in network traffic
  • Unusually high volumes of outgoing traffic
  • Sudden bursts of connections to multiple IPs
  • Large numbers of SYN packets

2. Command and Control (C2) Communication 

Many malware strains, from trojans to ransomware, rely on C2 servers to receive instructions from attackers. These communications can include downloading additional payloads, executing commands, or transmitting stolen data. 

☝ Signs in network traffic
  • Repeated communication with suspicious or newly registered domains
  • Encrypted traffic over unusual ports
  • Beaconing patterns

3. Data Exfiltration & Credential Theft 

Some malware is designed to steal sensitive data, such as login credentials, financial information, or intellectual property. This data is often encrypted and sent to an attacker-controlled server. 

☝ Signs in network traffic
  • Outbound traffic to unknown foreign IPs
  • Unusual spikes in file transfer protocols (FTP, SFTP) 
  • Large volumes of outbound DNS queries

4. Exploitation Attempts & Lateral Movement 

Advanced malware doesn’t just infect one machine. It looks for vulnerabilities to move laterally across a network, escalating privileges and compromising more devices. 

☝ Signs in network traffic
  • Repeated login attempts from a single source (brute-force attacks)
  • SMB traffic spikes
  • Use of internal IP scanning tools like Nmap

5. Malware Download & Dropper Activity 

Many infections start with a simple download: malware that acts as a dropper, pulling additional payloads from the internet. 

☝ Signs in network traffic
  • Downloads from unusual or newly registered domains
  • Traffic to known malware-hosting services
  • Execution of PowerShell or wget/curl commands from unknown sources

What Tools to Use for Traffic Analysis 

Various tools help security professionals inspect network traffic and identify suspicious activities. Here are some of the most widely used ones: 

Malware Sandboxes 

Real-time network analysis inside ANY.RUN Linux VM 

A dynamic analysis environment like ANY.RUN allows users to observe malware behavior, including network communications, in a controlled setting. The sandbox logs network requests, DNS queries, and protocol usage, making it easier to detect malicious patterns. 

Analyze Linux and Windows threats inside the safe and secure ANY.RUN Interactive Sandbox 



Sign up for free


Wireshark 

A powerful packet analysis tool that enables deep inspection of network activity. Analysts use it to capture live traffic or examine PCAP files for suspicious network behavior. 

tcpdump 

A command-line tool for packet capturing and analysis. It provides a lightweight method to monitor network traffic directly from Linux terminals. With tcpdump, analysts can capture packets that flow through a network interface, apply filters to focus on specific traffic, and save captures for later analysis. 

mitmproxy 

An interactive, SSL-capable proxy for analyzing and modifying HTTP/HTTPS traffic in real time. It’s useful for inspecting malicious web traffic generated by malware. 

Analyzing Linux Malware Traffic with a Sandbox 

ANY.RUN’s Interactive Sandbox provides a real-time, dynamic analysis environment that helps researchers and security teams uncover malicious network activities associated with Linux malware. 

Let’s discover how ANY.RUN can make Linux malware traffic analysis more effective: 

Real-time network monitoring: Observe malware’s network behavior live and view outbound HTTP, HTTPS, and DNS traffic, detect hardcoded C2 servers, and spot encrypted connections on unusual ports. 

Interactive analysis: Engage with the infected environment to trigger malware behaviors, bypassing sandbox evasion tactics and uncovering hidden threats. 

Packet capture (PCAP) export: Capture and export all network traffic for deeper analysis in Wireshark or other packet inspection tools. 

Suricata-driven threat detection inside ANY.RUN sandbox 

Suricata-driven threat detection: The sandbox automatically flags malicious network behavior, including botnet communications, exploit attempts, and data exfiltration. 

Network activity displayed inside ANY.RUN Linux sandbox 

Faster investigations: Reduce time spent on manual traffic analysis with live, actionable insights and automated reporting. 

Real-World Linux Malware Analyzed in ANY.RUN Sandbox 

To demonstrate the power of ANY.RUN’s Linux Sandbox for malware traffic analysis, let’s examine three real-world Linux malware cases: 

Case 1: Gafgyt (BASHLITE) – Massive DDoS Attack 

Gafgyt, also known as BASHLITE, is a notorious Linux botnet malware that infects IoT devices and servers to launch DDoS attacks.  

View analysis session with Gafgyt 

Gafgyt malware analyzed inside ANY.RUN 

After examining it inside ANY.RUN’s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic. 

Network connections observed inside ANY.RUN Linux VM 

After examining it inside ANY.RUN’s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic. 

Try advanced malware analysis firsthand with ANY.RUN’s Enterprise plan 



Access all features with free trial


The malware established connections with botnet C2 servers, triggering a Suricata alert due to suspicious network behavior.  

You can observe this detection in the “Threats” section under Network Activity Analysis in ANY.RUN: 

Suricata rule triggered by Gafgyt malware 

ANY.RUN provides a PCAP export feature, allowing you to analyze captured network traffic in Wireshark or other specialized tools by exporting the packet capture file for deeper inspection and threat analysis. 

PCAP export feature for deeper analysis 

Case 2: Mirai – Detecting Malicious Network Behavior  

Mirai is a notorious Linux-based malware that primarily targets IoT devices, such as routers, cameras, and other connected systems. It infects devices by exploiting weak or default credentials, turning them into botnet nodes used for large-scale DDoS attacks. 

Once infected, these compromised devices begin scanning the internet for other vulnerable systems to expand the botnet. 

View analysis session with Mirai attack 

Mirai malware detected by ANY.RUN sandbox 

In this analysis session, we observe a Mirai attack within a controlled environment using ANY.RUN’s Interactive Sandbox.  

The malware’s behavior was automatically detected, as it triggered a Suricata rule, confirming its presence through network traffic analysis.  

The session shows how Mirai communicates, spreads, and attempts to establish connections with remote servers.  

Suricata rule triggered by Mirai malware  

Case 3: Exploit – Behavioral Detection in Network Traffic 

Exploits are a common attack vector used by threat actors to gain initial access to Linux systems. These attacks take advantage of system vulnerabilities, often unpatched software or misconfigurations, to execute malicious payloads, escalate privileges, or establish persistence.  

Once inside, attackers can deploy additional malware, steal sensitive data, or take full control of the compromised machine. 

View analysis session with Exploit 

Exploit detected by ANY.RUN 

In this analysis session, you can observe the exploit in a controlled environment as it attempts to manipulate system processes. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



As you can see, the exploit was automatically flagged by Suricata, providing clear evidence of an active attack. 

Suricata rule triggered by Exploit 

Why Businesses & Security Teams Should Use ANY.RUN for Linux Malware Detection 

By examining network traffic inside ANY.RUN’s Linux Sandbox, businesses and security teams can: 

  • Detect threats faster: Real-time analysis exposes malware behavior instantly. 
  • Reduce investigation time: Automated Suricata alerts streamline detection. 
  • Improve network security: Identify and block malicious traffic before it spreads. 
  • Get deeper insights: PCAP exports and interactive analysis allow teams to get deeper insights.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Malware Traffic Analysis in Linux: Hands-on Guide with Examples appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More