Editor’s note: The current article is authored by Clandestine, threat researcher and threat hunter. You can find Clandestine on X. ANY.RUN’s Threat Intelligence (TI) Lookup is a powerful service for Open Source Intelligence (OSINT) and Threat Intelligence investigations. In this research, we shall analyze 5 specific queries, each targeting different aspects of the threat landscape, to better […] The post Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN T...| ANY.RUN's Cybersecurity Blog
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. AI is part of our lives whether we like it or not. Even if you are not quite a fan, or not a user at all, you probably came across multiple AI-generated avatars, pictures, […] The post FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware appeared first on ANY.RUN's Cybersecurity Blog.| ANY.RUN's Cybersecurity Blog
Verticals Targeted: Not specified Regions Targeted: None Related Families: Petya, NotPetya, NotPetyaAgain, RedPetyaOpenSSL Executive Summary HybridPetya is a ransomware variant resembling Petya/NotPetya, capable of compromising UEFI-based systems and exploiting CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not observed in active campaigns, its advanced capabilities warrant close monitoring by security teams.| PolySwarm Main Blog
SOC teams may waste hours daily manually enriching alerts and switching between tools, delaying response. ANY.RUN’s Microsoft Sentinel Connector fixes this by introducing fast, accurate, and interactive sandbox analysis into Sentinel’s workflow, so alerts get auto-processed, enriched with IOCs, and prioritized in seconds. Here’s how you can speed up response times, filter out false positives, […] The post ANY.RUN Sandbox & Microsoft Sentinel: Less Noise, More Speed for Your SOC ap...| ANY.RUN's Cybersecurity Blog
Telecommunications companies are the digital arteries of modern civilization. Compromise a major telecom operator, and you don’t just steal data — you gain the power to intercept communications, manipulate network traffic, and bring entire regions offline. Every day, ANY.RUN’s solutions process thousands of threat samples, and hidden within them are patterns of activity targeting telecom operators. […] The post Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Comp...| ANY.RUN's Cybersecurity Blog
SOCs face constant pressure. Heavy workloads, poor threat visibility, and disconnected tools introduce delays in detection and response, which may lead to financial loss and operational disruptions for the business. ANY.RUN helps over 15K security teams to solve this challenge by empowering them to quickly detect, analyze, and understand threats, so they can respond faster […] The post Efficient SOC: How to Detect and Solve Incidents Faster appeared first on ANY.RUN's Cybersecurity Blog.| ANY.RUN's Cybersecurity Blog
Swamped by incident alerts, Security Operations Centers (SOCs) struggle to quickly identify and prioritize high-risk attacks, leaving critical infrastructure exposed to ransomware and data theft. ANY.RUN’s integration with Palo Alto Networks Cortex XSOAR solves this by automating proactive sandbox analysis and threat intelligence correlation to beat alert fatigue, boost detection rates, and accelerate security workflows. […] The post ANY.RUN & Palo Alto Networks Cortex XSOAR: Streamline...| ANY.RUN's Cybersecurity Blog
The Lazarus Group, North Korea’s state-sponsored hacking collective, has held the title of the most notorious advanced persistent threat (APT) for almost two decades now. In 2025, it escalated its cyber operations, targeting tech industries with fake IT workers, fraudulent job interviews, and hijacked open-source software. It’s time to take a closer look at its […] The post Lazarus Group Attacks in 2025: Here’s Everything SOC Teams Need to Know appeared first on ANY.RUN's Cybers...| ANY.RUN's Cybersecurity Blog
You can now easily integrate Threat Intelligence Feeds with fresh actionable zero-false-positive IOCs into your cybersecurity infrastructure without extra costs via ANY.RUN IBM App.| ANY.RUN's Cybersecurity Blog
Explore how top attacks like Tycoon2FA, Rhadamanthys and Salty2FA unraveled in August 2025 and what insights SOC teams can take away.| ANY.RUN's Cybersecurity Blog
What started like an easy unpacking session to fill a Friday afternoon lead us to a singular black-SEO campaign. Together, we will unravel 4 different malicious loaders written in 4 different programming languages, briefly analyse the final 10MB black-seo client and reverse engineer its command and control protocol. All of this for XXL swimsuits.| MALCAT
Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN's experts: Salty2FA, targeting industries in the USA and EU.| ANY.RUN's Cybersecurity Blog
Find crucial steps to take as a CISO to empower your SOC operations with threat intelligence to mitigate risks and improve key metrics.| ANY.RUN's Cybersecurity Blog
Discover analysis of PyLangGhost RAT, the newest Lazarus Group malware targeting finance and tech professionals.| ANY.RUN's Cybersecurity Blog
Ingest fresh IOCs from 15K SOCs into your Microsoft Sentinel SIEM to expand threat coverage and increase detection rate.| ANY.RUN's Cybersecurity Blog
See actionable steps that your SOC can take to reduce alert fatigue, increase detection rate, and cut MTTR.| ANY.RUN's Cybersecurity Blog
Discover detailed breakdown of top cyberattacks in July 2025, from DeerStealer with LNK and LOLBin abuse to Remote Access Tools exploits.| ANY.RUN's Cybersecurity Blog
In a case that redefines the boundaries of modern cybercrime, a threat actor known as UNC2891 has carried out a multi-vector cyber-heist targeting ATM infrastructure across several banking institutions. Group-IB’sRead More → The post Backdooring ATMs via Bootloader? These Hackers Showed It’s Still Possible in 2025” appeared first on Information Security Newspaper | Hacking News.| Information Security Newspaper | Hacking News
A new variant of the macOS.ZuRu malware, first identified in 2021, was discovered, leveraging a trojanized Termius application to deploy a modified Khepri C2 beacon, targeting developers and IT professionals.| blog.polyswarm.io
Read a technical analysis of the Ducex packer used by Android malware like Triada for obfuscation and analysis evasion.| ANY.RUN's Cybersecurity Blog
Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.| ANY.RUN's Cybersecurity Blog
BSides Munich 2020 Authors: Eslam Reda Jameel Nabbo Watch the talk on youtube Powershell script used for creating reverse TCP and bypasses AV FUD .NETRead More The post The Art of bypassing endpoint protections for red teaming engagements first appeared on Buffer Overflows.| Buffer Overflows
CVE-2025-31324: Pre-Auth RCE in SAP NetWeaver Visual Composer – Full Exploit Walk-Through & Defense Guide CVE-2025-31324 is a CVSS 10.0 remote-code-execution flaw in the Visual Composer Metadata component of SAP NetWeaver AS Java 7.00 → 7.50. Unauthenticated attackers can upload arbitrary ZIP/WAR archives, drop a web-shell, and run commands as <SID>adm (often mapped to SYSTEM). […] The post CVE-2025-31324: Pre-Auth RCE in SAP NetWeaver Visual Composer – Full Exploit Walk-Through & Def...| ZeroDay Labs
Analysis of PupkinStealer, a .NET Telegram info-stealer that steals passwords, sessions & files. Includes IOCs and quick mitigation tips.| ZeroDay Labs
Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.| ANY.RUN's Cybersecurity Blog
Windows shortcut files can contain valuable data. We will see how to extract the most information out of a .lnk downloader and will manually extract the configuration file of the final cobalt strike beacon using malcat| MALCAT
In this post, I will explain how you can locate cross references programmatically using Python modules that are generally helpful in reverse engineering.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
See how ANY.RUN sources unique indicators of compromise for Threat Intelligence Feeds, helping businesses detect cyber threats.| ANY.RUN's Cybersecurity Blog
Discover a detailed technical analysis of the InvisibleFerret malware that targets businesses across different industries.| ANY.RUN's Cybersecurity Blog
Discover how YARA detection rules work and see real-world examples of rules used in ANY.RUN's Interactive Sandbox.| ANY.RUN's Cybersecurity Blog
Introduction| eln0ty
On February 23 during the war between Russia and Ukrainian, A malware which is targeting Ukrainian infrastructure (windows devices) by Russian Federation forces has since been observed in the neighboring countries of Latvia and Lithuania. HermeticWiper makes a system inoperable by corrupting its data by manipulating the MBR resulting in subsequent boot failure. Malware artifacts suggest that the attacks had been planned for several months.| eln0ty
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers| eln0ty
Hooking is a technique to intercept function calls/messages or events passed between software, or in this case malware. The technique can be used for malicious, as well as defensive cases. Rootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders can use hooking to gain more knowledge […]| Malware and Stuff
Discover how google gemini 1.5 flash enhances malware analysis, offering unparalleled speed and accuracy. Protect your data effortlessly.| Govindhtech
A Cloud Virtual CISO is essentially a cybersecurity consultant specializing in cloud environments. They provide the same kind of leadership| Govindhtech
Case Study WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022. The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN. The following are crypto wallets collect...| RussianPanda Research Blog
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.| MALCAT
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.| MALCAT
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.| MALCAT
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload| MALCAT
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.| MALCAT
If you ever used Process Monitor to track activity of a process, you might have encountered the following pattern: The image above is a snippet from events captured by Process Monitor during the execution of x32dbg.exe on Windows 7. DNSAPI.DLL and IPHLPPAPI.DLL are persisted in the System directory, so you might question yourself: Why would …The DLL Search Order And Hijacking It Read More »| Malware and Stuff
As a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal structures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a binary uses specific parts of the operating system in certain ways . One of the …PEB: Where Magic Is Stored Read More »| Malware and Stuff
A domain generation algorithm is a routine/program that generates a domain dynamically. Think of the following example: An actor registers the domain evil.com. The corresponding backdoor has this domain hardcoded into its code. Once the attacker infects a target with this malware, it will start contacting its C2 server. As soon as a security company …DGAs – Generating domains dynamically Read More »| Malware and Stuff
You probably already guessed it from the title’s name, API Hashing is used to obfuscate a binary in order to hide API names from static analysis tools, hindering a reverse engineer to understand the malware’s functionality. A first approach to get an idea of an executable’s functionalities is to more or less dive through the …Deobfuscating DanaBot’s API Hashing Read More »| Malware and Stuff
It's not uncommon to come across some kind of string encryption functionality within malware samples, often more complex than a simple single-byte XOR operation which can often be brute-forced with simplicity. By encrypting strings, malware authors are able to potentially lower the detection rate by anti-malware software, obscuring strings that may be identified as "malicious",| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
This is kind of a shot in the dark when it comes to content. As with most of my blog, this is mainly for my own tracking and edification but I hope to provide something adequate for others. This is a subject matter I’ve been trying to break into for a while but have been struggling for quite some time. It’s definitely out my realm of comfortability, but I’m hoping this blog will help with that.| anubissec.github.io
What if we could somehow compile some Python code that couldn’t be disassembled with your average Python interpreter? What if instead of LOAD_NAME or POP_TOP, we switched it’s opcode value with BUILD_LIST or PUSH_NULL?| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.| 0ffset Training Solutions | Practical and Affordable Cyber Security Training
Anubis is a well known android banking malware. Although it hasn’t been around for long, it had…| n1ghtw0lf
SmokeLoader is a well known bot that is been around since 2011. It’s mainly used to drop other malware families…| n1ghtw0lf
Snake Keylogger is a malware developed using .NET. It’s focused on stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.| XJunior
Part 1 of analyzing the KrakenKeylogger Malware| Toxin Labs
GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been used to deploy other malicious families like…| n1ghtw0lf
Qbot is a modular information stealer also known as Qakbot. It has been active for years since 2007. It has…| n1ghtw0lf
Breakdown of a key features stored in LummaC2 Stealer| Toxin Labs
Breakdown of a BumbleBee PowerShell Dropper & extracting the config of BumbleBee| Toxin Labs