What started like an easy unpacking session to fill a Friday afternoon lead us to a singular black-SEO campaign. Together, we will unravel 4 different malicious loaders written in 4 different programming languages, briefly analyse the final 10MB black-seo client and reverse engineer its command and control protocol. All of this for XXL swimsuits.| MALCAT
Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, EvilProxy, and Sneaky2FA only makes the problem worse. These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand. But […] The post Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU...| ANY.RUN's Cybersecurity Blog
Editor’s note: The current article was originally published on March 11, 2024, and updated on August 14, 2025. Security Operations Centers (SOCs) face an overwhelming volume of threat alerts, making it difficult to separate real threats from false positives without heavy resource use. For teams already working with, or planning to adopt Filigran’s OpenCTI, ANY.RUN now […] The post ANY.RUN & OpenCTI: Transform SOC for Maximum Performance appeared first on ANY.RUN's Cybersecurity Blog.| ANY.RUN's Cybersecurity Blog
Find crucial steps to take as a CISO to empower your SOC operations with threat intelligence to mitigate risks and improve key metrics.| ANY.RUN's Cybersecurity Blog
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. North Korean state-sponsored groups, such as Lazarus, continue to target the financial and cryptocurrency sectors with a variety of custom malware families. In previous research, we examined strains like InvisibleFerret, Beavertail, and OtterCookie, often […] The post PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance an...| ANY.RUN's Cybersecurity Blog
ANY.RUN now delivers Threat Intelligence (TI) Feeds directly to Microsoft Sentinel via the built-in STIX/TAXII connector. No complicated setups. No custom scripts. Only high-quality indicators of compromise (IOCs) to fortify your SOC and catch attacks early, keeping your business secure. About the TI Feeds Connector for Microsoft Sentinel ANY.RUN’s TI Feeds support a seamless, out-of-the-box […] The post ANY.RUN & Microsoft Sentinel: Catch Emerging Threats with Real-Time Threat Inte...| ANY.RUN's Cybersecurity Blog
Why are SOC teams still struggling to keep up despite heavy investments in security tools? False positives pile up, evasive threats slip through, and critical alerts often get buried under noise. For CISOs, the challenge is giving teams the visibility and speed they need to respond before damage is done. ANY.RUN helps close that gap. 95% of […] The post CISO Blueprint: 5 Steps to Enterprise Cyber Threat Resilience appeared first on ANY.RUN's Cybersecurity Blog.| ANY.RUN's Cybersecurity Blog
While cybercriminals were working overtime this July, so were we at ANY.RUN — and, dare we say, with better results. As always, we’ve picked the most dangerous and intriguing attacks of the month. But this time, there’s more. Alongside the monthly top, we are highlighting a key trend that’s been powering campaigns throughout 2025: the […] The post Major Cyber Attacks in July 2025: Obfuscated .LNK‑Delivered DeerStealer, Fake 7‑Zip, and More appeared first on ANY.RUN's Cybersecu...| ANY.RUN's Cybersecurity Blog
In a case that redefines the boundaries of modern cybercrime, a threat actor known as UNC2891 has carried out a multi-vector cyber-heist targeting ATM infrastructure across several banking institutions. Group-IB’sRead More → The post Backdooring ATMs via Bootloader? These Hackers Showed It’s Still Possible in 2025” appeared first on Information Security Newspaper | Hacking News.| Information Security Newspaper | Hacking News
A new variant of the macOS.ZuRu malware, first identified in 2021, was discovered, leveraging a trojanized Termius application to deploy a modified Khepri C2 beacon, targeting developers and IT professionals.| blog.polyswarm.io
Read a technical analysis of the Ducex packer used by Android malware like Triada for obfuscation and analysis evasion.| ANY.RUN's Cybersecurity Blog
Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.| ANY.RUN's Cybersecurity Blog
BSides Munich 2020 Authors: Eslam Reda Jameel Nabbo Watch the talk on youtube Powershell script used for creating reverse TCP and bypasses AV FUD .NETRead More The post The Art of bypassing endpoint protections for red teaming engagements first appeared on Buffer Overflows.| Buffer Overflows
Explore in-depth technical analysis of OtterCookie, a new North Korean Lazarus APT malware that steals victims' crypto and credentials.| ANY.RUN's Cybersecurity Blog
CVE-2025-31324: Pre-Auth RCE in SAP NetWeaver Visual Composer – Full Exploit Walk-Through & Defense Guide CVE-2025-31324 is a CVSS 10.0 remote-code-execution flaw in the Visual Composer Metadata component of SAP NetWeaver AS Java 7.00 → 7.50. Unauthenticated attackers can upload arbitrary ZIP/WAR archives, drop a web-shell, and run commands as <SID>adm (often mapped to SYSTEM). […] The post CVE-2025-31324: Pre-Auth RCE in SAP NetWeaver Visual Composer – Full Exploit Walk-Through & Def...| ZeroDay Labs
Analysis of PupkinStealer, a .NET Telegram info-stealer that steals passwords, sessions & files. Includes IOCs and quick mitigation tips.| ZeroDay Labs
Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.| ANY.RUN's Cybersecurity Blog
Windows shortcut files can contain valuable data. We will see how to extract the most information out of a .lnk downloader and will manually extract the configuration file of the final cobalt strike beacon using malcat| MALCAT
In this post, I will explain how you can locate cross references programmatically using Python modules that are generally helpful in reverse engineering.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
See how ANY.RUN sources unique indicators of compromise for Threat Intelligence Feeds, helping businesses detect cyber threats.| ANY.RUN's Cybersecurity Blog
Discover a detailed technical analysis of the InvisibleFerret malware that targets businesses across different industries.| ANY.RUN's Cybersecurity Blog
Discover how YARA detection rules work and see real-world examples of rules used in ANY.RUN's Interactive Sandbox.| ANY.RUN's Cybersecurity Blog
Introduction| eln0ty
On February 23 during the war between Russia and Ukrainian, A malware which is targeting Ukrainian infrastructure (windows devices) by Russian Federation forces has since been observed in the neighboring countries of Latvia and Lithuania. HermeticWiper makes a system inoperable by corrupting its data by manipulating the MBR resulting in subsequent boot failure. Malware artifacts suggest that the attacks had been planned for several months.| eln0ty
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers| eln0ty
Hooking is a technique to intercept function calls/messages or events passed between software, or in this case malware. The technique can be used for malicious, as well as defensive cases. Rootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders can use hooking to gain more knowledge […]| Malware and Stuff
Discover how google gemini 1.5 flash enhances malware analysis, offering unparalleled speed and accuracy. Protect your data effortlessly.| Govindhtech
A Cloud Virtual CISO is essentially a cybersecurity consultant specializing in cloud environments. They provide the same kind of leadership| Govindhtech
Case Study WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022. The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN. The following are crypto wallets collect...| RussianPanda Research Blog
Learn about the stealthy SSLoad malware and its evolving nature, how it infiltrates systems, gathers reconnaissance, and delivers payloads.| Intezer
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.| MALCAT
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.| MALCAT
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.| MALCAT
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload| MALCAT
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.| MALCAT
If you ever used Process Monitor to track activity of a process, you might have encountered the following pattern: The image above is a snippet from events captured by Process Monitor during the execution of x32dbg.exe on Windows 7. DNSAPI.DLL and IPHLPPAPI.DLL are persisted in the System directory, so you might question yourself: Why would …The DLL Search Order And Hijacking It Read More »| Malware and Stuff
As a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal structures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a binary uses specific parts of the operating system in certain ways . One of the …PEB: Where Magic Is Stored Read More »| Malware and Stuff
A domain generation algorithm is a routine/program that generates a domain dynamically. Think of the following example: An actor registers the domain evil.com. The corresponding backdoor has this domain hardcoded into its code. Once the attacker infects a target with this malware, it will start contacting its C2 server. As soon as a security company …DGAs – Generating domains dynamically Read More »| Malware and Stuff
You probably already guessed it from the title’s name, API Hashing is used to obfuscate a binary in order to hide API names from static analysis tools, hindering a reverse engineer to understand the malware’s functionality. A first approach to get an idea of an executable’s functionalities is to more or less dive through the …Deobfuscating DanaBot’s API Hashing Read More »| Malware and Stuff
It's not uncommon to come across some kind of string encryption functionality within malware samples, often more complex than a simple single-byte XOR operation which can often be brute-forced with simplicity. By encrypting strings, malware authors are able to potentially lower the detection rate by anti-malware software, obscuring strings that may be identified as "malicious",| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
This deep dive aims to guide you through .NET reverse engineering, equipping you with the essential knowledge to analyze .NET malware.| Intezer
This is kind of a shot in the dark when it comes to content. As with most of my blog, this is mainly for my own tracking and edification but I hope to provide something adequate for others. This is a subject matter I’ve been trying to break into for a while but have been struggling for quite some time. It’s definitely out my realm of comfortability, but I’m hoping this blog will help with that.| anubissec.github.io
What if we could somehow compile some Python code that couldn’t be disassembled with your average Python interpreter? What if instead of LOAD_NAME or POP_TOP, we switched it’s opcode value with BUILD_LIST or PUSH_NULL?| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Anubis is a well known android banking malware. Although it hasn’t been around for long, it had…| n1ghtw0lf
SmokeLoader is a well known bot that is been around since 2011. It’s mainly used to drop other malware families…| n1ghtw0lf
Snake Keylogger is a malware developed using .NET. It’s focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.| XJunior
Part 1 of analyzing the KrakenKeylogger Malware| Toxin Labs
GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been used to deploy other malicious families like…| n1ghtw0lf
Qbot is a modular information stealer also known as Qakbot. It has been active for years since 2007. It has…| n1ghtw0lf
Breakdown of a key features stored in LummaC2 Stealer| Toxin Labs
Breakdown of a BumbleBee PowerShell Dropper & extracting the config of BumbleBee| Toxin Labs
