🚨 𝗨𝗽𝗱𝗮𝘁𝗲 𝗬𝗼𝘂𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗥𝘂𝗹𝗲𝘀: 𝗡𝗲𝘄 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗧𝗿𝗼𝗷𝗮𝗻
We caught a Go-based RAT and named it #Moonrise. At the time of the analysis, the sample had not yet been submitted to VirusTotal ❗️

The level of access enables credential harvesting, sensitive data collection, and preparation for further compromise without triggering static detections, leaving SOCs with no clear signals to act on.

⚠️ Observed capabilities include:
🔹 Privilege-related functions and persistence mechanisms
🔹 Data theft and credential harvesting
🔹 Process control and command execution
🔹 File upload and execution
🔹 User activity monitoring: screen capture and streaming, webcam and microphone access, keystroke logging, clipboard monitoring

One compromised endpoint can disrupt operations and lead to financial and reputational damage.

👾 See sample execution in a live analysis session: https://app.any.run/tasks/d3e5e733-3b0d-4cf7-a7a8-ea1553cd16b9/?utm_source=mastodon&utm_medium=post&utm_campaign=moonrise&utm_term=180226&utm_content=linktoservice

✅ Behavior-first triage in #ANYRUN Sandbox lets security teams confirm attacker actions, like remote command execution, UAC bypass attempts, and persistence-related activity, within minutes. Security teams reduce Tier-1 overload and unnecessary escalations, while containing incidents earlier.

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=moonrise&utm_term=180226&utm_content=linktoenterpriselanding
#ExploreWithANYRUN

IOCs:
193[.]23[.]199[.]88
c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e
8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad
7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b
Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4
8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268

🚨 Attackers Took Over a Real Enterprise Email Thread to Deliver #Phishing

⚠️ The hacker replied directly within an active discussion among C-suite executives about a document pending final approval, sharing a phishing link to a fake Microsoft authentication form.
The attackers likely compromised a sales manager account at an enterprise contractor and hijacked a trusted business conversation.

👾 By detonating samples in the #ANYRUN Sandbox and pivoting indicators in TI Lookup, we uncovered a broader campaign powered by the #EvilProxy phishkit. The activity has been ongoing since early December 2025, primarily targeting companies in the Middle East.

🔗 Execution chain:
SCA phishing email ➡️ 7 forwarded messages ➡️ Phishing link ➡️ Antibot landing page w/ Cloudflare Turnstile ➡️ Phishing page w/ Cloudflare Turnstile ➡️ EvilProxy

❗️ Supply chain phishing campaigns now rely on layered social engineering, real conversation hijacking, and infrastructure that closely resembles #PhaaS platforms in both complexity and scale. These attacks exploit business trust, not technical vulnerabilities.

🎯 How companies can reduce supply chain phishing risk:
🔹 Flag HTML/PDF files with dynamic content, review unusual approval flows, and detonate suspicious files in a sandbox before interaction.
🔹 Split responsibility between initiating and approving document or process changes. Apply the four-eyes principle.
🔹 Use realistic supply chain attack scenarios and “perfect-looking” emails in awareness programs.

⚡️ Further technical insights are coming, stay tuned!

With #ANYRUN Sandbox, the threat's full attack chain becomes visible through real behavior and actionable reports with IOCs in under 60 seconds, significantly cutting MTTD and MTTR. Security teams triage faster, reduce Tier-1 overload and escalations, and contain incidents earlier to limit business impact.

👨‍💻 Equip your SOC with stronger phishing detection: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=b2b_social_engineering_phishing&utm_term=270126&utm_content=linktoenterprise

#ExploreWithANYRUN

📋 IOCs:
URI pattern: POST ^(/bot/|/robot/)$
Domains:
himsanam[.]com
bctcontractors[.]com
studiofitout[.]ro
st-fest[.]org
komarautomatika[.]hu
eks-esch[.]de
avtoritet-car[.]com
karaiskou[.]edu[.]gr
Domain pattern: ^loginmicrosoft*

#cybersecurity #infosec

🚨 #Phishing on Trusted Cloud Infrastructure: Google, Microsoft, Cloudflare.
We’re tracking a growing trend where phishing kit infrastructure is hosted on legitimate cloud and CDN platforms, not newly registered domains. In some cases, these campaigns specifically target enterprise users. This creates serious visibility challenges for security teams.

We’ve observed this pattern across multiple #phishkits:
🔹 #Tycoon hosted on alencure[.]blob[.]core[.]windows[.]net (Microsoft Azure Blob Storage): https://app.any.run/tasks/29b53d89-99b4-4827-b0af-72f315fdf529/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
⚠️ #Sneaky2FA hosted on legitimate cloud platforms, filtering out free email domains via a fake Microsoft 365 login to target corporate accounts:
firebasestorage[.]googleapis[.]com (Cloud Storage for Firebase): https://app.any.run/tasks/8189dd5e-0159-480d-8654-7b438a73f11e?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
cloudfront[.]net (AWS CloudFront): https://app.any.run/tasks/9a2d1537-e952-455e-bba0-b36f720a07e6/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
🔹 #EvilProxy hosted on sites[.]google[.]com (Google Sites): https://app.any.run/tasks/07995c22-6e7d-468b-ad94-29af75525ed3/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice

Victims see a “trusted” provider domain, while the network only sees normal HTML being loaded from cloud infrastructure. What looks clean at first glance is exposed by #ANYRUN Sandbox in under 60 seconds, directly reducing MTTD and MTTR.

🔍 Hunt for related activity and pivot from #IOCs using these search queries in TI Lookup:
🔹 Microsoft Azure Blob Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22phishing-ml%5C%22%20and%20domainName:%5C%22*.blob.core.windows.net$%5C%22%22,%22dateRange%22:30%7D
🔹 Firebase Cloud Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522firebasestorage.googleapis.com$%255C%2522%2520AND%2520(domainName:%255C%2522.icu$%255C%2522%2520OR%2520domainName:%255C%2522.xyz$%255C%2522)%2522,%2522dateRange%2522:60%7D%20%20
🔹 Google Sites abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522sites.google.com$%255C%2522%2520AND%2520suricataMessage:%255C%2522*Possible%2520Fake%2520Microsoft%2520Sign-in%2520domain%2520chain*%255C%2522%2522,%2522dateRange%2522:60%7D%20%20

Many security vendors will flag these domains as legitimate. Technically, they are. That’s why security teams need behavioral analysis and network-level signals to reliably uncover phishing before impact.

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=register#register
#ExploreWithANYRUN

#IOCs:
mphdvh[.]icu
kamitore[.]com
aircosspascual[.]com
Lustefea[.]my[.]id

#cybersecurity #infosec

🚨 New #LockBit Variant Tagets ESXi and Linux: Critical Infrastructure at Risk.
⚠️ In September 2025, on its sixth anniversary, the LockBit group released LockBit 5.0, a new version of its #ransomware. The new variant introduces stronger obfuscation, flexible configurations, and advanced anti-analysis techniques.

The most alarming development is the expansion to #Linux and #VMware ESXi, signaling a clear focus on server environments and critical infrastructure. Ransomware has shifted from targeting endpoints to directly disrupting core infrastructure.

❗️ A single intrusion can take down dozens of virtual servers, causing organization-wide outages with severe financial and reputational impact.

LockBit 5.0 comes in three builds, each optimized for its target OS with nearly identical functionality.

🚨 VMware ESXi: The most critical new variant, a dedicated encryptor for hypervisors that can simultaneously disable all VMs on a host. Its CLI resembles the other builds but adds VM datastore and config targeting.
See live execution: https://app.any.run/tasks/c3591887-eb31-4810-91b5-54647c6a86a4/?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_term=011025&utm_content=linktoservice

📌 Windows: Main variant. Runs with DLL reflection, supports both GUI and console, encrypts local and network files, removes VSS shadow copies, stops services, clears event logs, and drops ransom notes linking to live chat support.
See live execution: https://app.any.run/tasks/17cc701e-7469-4337-8ca1-314b259e7b73/?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_term=011025&utm_content=linktoservice

📌 Linux: Console-based, replicates Windows functionality with mount point filters, post-encryption disk wiping, and anti-analysis checks such as geolocation restrictions and build expiry.
See live execution: https://app.any.run/tasks/d22b7747-1ef2-4e3e-9f80-b555f7f47a3c/?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_term=011025&utm_content=linktoservice

🔍 Use these TI Lookup search queries to monitor for suspicious activity and enrich detection logic with live threat data:
ESXi Lockbit 5.0: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_content=linktoti&utm_term=011025#%7B%2522query%2522:%2522commandLine:%255C%2522vmware%2520-v%255C%2522%2522,%2522dateRange%2522:180%7D%20
Linux Lockbit 5.0: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_content=linktoti&utm_term=011025#%257B%2522query%2522:%2522filePath:%255C%2522%5E/home/user/.local/share/evolution/tasks/ReadMeForDecrypt.txt$%255C%2522%2522,%2522dateRange%2522:180%257D
Windows Lockbit 5.0: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lockbit5&utm_content=linktoti&utm_term=011025#%257B%2522query%2522:%2522filePath:%255C%2522%5EC:%255C%255C%255C%255CReadMeForDecrypt.txt$%255C%2522%2522,%2522dateRange%2522:180%257D

👨‍💻 What can you do now?
✅ Boost visibility: combine EDR/XDR with behavior-based monitoring. Leverage #ANYRUN’s Sandbox and TI Lookup to detect new builds early, enrich detection rules, and reduce MTTR by up to 21 minutes.
✅ Harden access: enforce MFA for vCenter, restrict direct internet access to ESXi hosts, and route connections through VPN.
✅ Ensure resilience: keep offline backups and test recovery regularly.

👏 Thanks to
@fbgwls245
for sharing the Linux sample with the community!

🚀 Strengthen resilience, protect business continuity through proactive security with #ANYRUN. #ExploreWithANYRUN #CybersecurityAwarenessMonth

🚨 Figma Abuse Leads to Microsoft-Themed #Phishing.
⚠️ Attackers are exploiting trusted platforms to bypass defenses. Among all phishing threats we tracked last month, #phishkits abusing Figma made up a significant share: #Storm1747 (49%), Mamba (25%), Gabagool (2%), and Other (24%).

🔍 This trend underscores the need to monitor abuse of trusted platforms that create blind spots in defenses and raise the risk of large-scale credential theft.

In this case, Figma prototypes were abused as phishing lures: a victim receives an email with a link to a “document” hosted on http://figma.com. Once opened, the prototype displays content that prompts a click on an embedded link. The chain continues through fake CAPTCHAs or even a legitimate Cloudflare Turnstile widget.

🔗 Execution chain:
Phishing email with a link ➡️ Figma document ➡️ Fake CAPTCHA or Cloudflare Turnstile widget ➡️ Phishing Microsoft login page

👨‍💻 See the full execution on a live system and download actionable report: https://app.any.run/tasks/5652b435-2336-4531-a33f-d81a733b3c63/?utm_source=mastodon&utm_medium=post&utm_campaign=figma_phishing&utm_term=240925&utm_content=linktoservice

📌 Why Figma? Public prototypes are easy to create and share, require no authentication, and come from a trusted domain. This combination makes it easier to bypass automated security controls, slip through email filters, and increase user interaction.

🎯 For CISOs, the abuse of widely trusted platforms creates critical monitoring gaps, while Microsoft impersonation elevates the risk of credential theft or account takeover, posing direct risks to business resilience and compliance.

SOC teams need the ability to trace redirect chains, uncover hidden payloads, and enrich detection rules with both static #IOCs and behavioral context.

🔍 Use this TI Lookup search query to expand threat visibility and enrich #IOCs with actionable threat context:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=figma_phishing&utm_content=linktoti&utm_term=240925#%7B%2522query%2522:%2522domainName:%255C%2522figma.com%255C%2522%2520AND%2520threatName:%255C%2522phishing%255C%2522%2522,%2522dateRange%2522:180%7D

IOCs:
9a4c7dcf25e9590654694063bc4958d58bcbe57e5e95d9469189db6873c4bb2c
Dataartnepal[.]com

Strengthen resilience and protect business continuity with #ANYRUN 🚀 #ExploreWithANYRUN

#cybersecurity #infosec

🚨 Fileinfectors Evolved: Spreading Ransomware Across Enterprise Networks

⚠️ Fileinfector #malware inserts its code into files. These threats once spread mainly through external drives and local systems. Today’s file infectors are mostly hybrid variants, frequently combined with #ransomware.

These variants encrypt data and inject malicious code into files, enabling further spread when infected files are executed.

❗️ They are especially dangerous in corporate environments with shared folders, where a single infected file can rapidly spread across the network and cause widespread damage.
Such outbreaks overwhelm security teams, complicate incident response, and disrupt business continuity.

👨‍💻 An optimized SOC that relies on early detection, behavioral analysis, and proactive hunting is critical to limiting impact. Let’s see malware execution on a live system:
https://app.any.run/tasks/7ea8ab1f-3c99-4cba-a92b-89305a617492/?utm_source=mastodon&utm_medium=post&utm_campaign=fileinfector&utm_term=100925&utm_content=linktoservice

In this case, the malware is interacting with multiple files and modifying their content. The infected files became executables, with PE headers confirming injected malicious code.

The analysis revealed hybrid behavior: a fileinfector acting like ransomware, enabling further spread on execution.

🔍 Use this TI Lookup search query to explore fileinfector activity and enrich #IOCs with actionable threat context:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fileinfector&utm_content=linktoti&utm_term=100925#%7B%2522query%2522:%2522threatName:%255C%2522fileinfector%255C%2522%2522,%2522dateRange%2522:180%7D%20

👾 Gather malware hashes and infected files to power proactive hunting:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fileinfector&utm_content=linktoti&utm_term=100925#%7B%2522query%2522:%2522threatName:%255C%2522fileinfector%255C%2522%2520AND%2520filePath:%255C%2522*%255C%2522%2522,%2522dateRange%2522:180%7D%20

Hybrid fileinfectors pose a significant threat to enterprise networks. Leveraging #ANYRUN Sandbox and TI Lookup reduces MTTR by up to 21 minutes per case and gives access to 24x more IOCs from millions of past analyses.

Strengthen resilience and protect critical assets through proactive security with #ANYRUN 🚀 #ExploreWithANYRUN

#cybersecurity #infosec

🚨 Fake 7-Zip installer exfiltrates Active Directory files.
A #malicious installer disguised as 7-Zip steals critical Active Directory files, including ntds.dit and the SYSTEM hive, by leveraging shadow copies and exfiltrating the data to a remote server.
🥷 Upon execution, the #malware creates a shadow copy of the system drive to bypass file locks and extract protected files without disrupting system operations.

🎯 It then copies ntds.dit, which contains Active Directory user and group data, and SYSTEM, which holds the corresponding encryption keys.

The malware connects to a remote server via SMB using hardcoded credentials. All output is redirected to NUL to minimize traces.

👨‍💻 #ANYRUN Sandbox makes it easy to detect these stealthy operations by providing full behavioral visibility, from network exfiltration to credential staging, within a single interactive session.
🔍 See analysis session: https://app.any.run/tasks/7f03cd5b-ad02-4b3a-871f-c31ac0f5dc15/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_7zip&utm_term=090725&utm_content=linktoservice

This technique grants the attacker full access to ntds.dit dump, allowing them to extract credentials for Active Directory objects and enables lateral movement techniques such as Pass-the-Hash or Golden Ticket.

🚀 Analyze and investigate the latest malware and #phishing threats with #ANYRUN.
#ExploreWithANYRUN

🚨 Top 5 Remote Access Tools Exploited by Threat Actors in the First Half of 2025.
⚠️ While legitimate and widely used by IT teams, Remote Monitoring and Management tools are increasingly used by threat actors to establish persistence, bypass defenses, and exfiltrate data.

In the first half of 2025, #ANYRUN observed a significant number of #malware samples leveraging known RMM software for #malicious access. Here are the 5 most frequently abused tools, along with analysis examples:
1️⃣ ScreenConnect – 3,829 sandbox sessions
https://app.any.run/tasks/3aa42d2e-8b91-4b8c-8bbb-e2b733194294/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

2️⃣ UltraVNC – 2,117 sandbox sessions
https://app.any.run/tasks/1b7234a0-ab11-4301-a5e7-9e157acfad95/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

3️⃣ NetSupport – 746 sandbox sessions
https://app.any.run/tasks/6740b646-2763-4969-9afe-31104dff0d81/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

4️⃣ PDQ Connect – 230 sandbox sessions
https://app.any.run/tasks/05948d1c-3128-4daa-97e5-60dd9991c115/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

5️⃣ Atera – 171 sandbox sessions
https://app.any.run/tasks/61e01084-e442-4bb7-a725-1667128573ce/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

👨‍💻 To support faster detection and investigation, we’ve added the rmm-tool tag in TI Lookup, making it easier for threat hunters and incident responders to track RMM-based intrusions.

🔍 Explore recent RMM abuse cases in the last 180 days:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_content=linktoti&utm_term=020725#%7B%2522query%2522:%2522threatName:%255C%2522rmm-tool%255C%2522%2522,%2522dateRange%2522:180%7D%20

Analyze latest malware and #phishing threats with #ANYRUN 🚀 #ExploreWithANYRUN

🚨 #WormLocker Returns with New Builds. First detected in 2021, this #ransomware remains active, with new samples recently identified.
👨‍💻 With #ANYRUN Sandbox, analysts can trace the full execution chain and uncover #malware behavior without the need for reverse engineering or manual debugging. Let’s see it in action.

📥 Upon execution, WormLocker 2.0 creates worm_tool.sys files in both the Desktop and Downloads folders.

It uses the ‘takeown’ and ‘icacls’ commands to take ownership of system files and modifies their access control lists. Malware then unpacks its resources into the System32 folder.

🚫 To disrupt system recovery, it disables Task Manager, deletes hidden files, and terminates the Explorer process. The Shell settings are set to empty, keeping the Explorer disabled even after reboot.

WormLocker 2.0 employs #AES-256 in CBC mode with a fixed salt. The key is generated from the hardcoded static password ‘LUC QPV BTR’ by applying SHA-256.

🔑 Entering this key restores system settings and decrypts the affected data.

Finally, the ransomware runs a VBS script to play audio containing its ransom demand.

👨‍💻 Analysis session: https://app.any.run/tasks/5a6eb571-5fb2-45cc-b498-6a4ce17fc510/?utm_source=mastodon&utm_medium=post&utm_campaign=wormlocker20&utm_term=170425&utm_content=linktoservice
With ‘LUC QPV BTR’ password entered: https://app.any.run/tasks/5bb3af51-5d60-452d-a0c8-c1ee8593fedd/?utm_source=mastodon&utm_medium=post&utm_campaign=wormlocker20&utm_term=170425&utm_content=linktoservice

Improve your SOC operations with #ANYRUN 🚀
#ExploreWithANYRUN

🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.

👨‍💻 Analysis session: https://app.any.run/browses/50395c46-41f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

📍 URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake “Windows Defender Security Center” popup.

🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.

Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.

🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: https://app.any.run/tasks/e83a5861-6006-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice

#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com

Streamline threat analysis for your SOC with #ANYRUN 🚀
#ExploreWithANYRUN