🚨 𝗦𝗽𝗮𝗻𝗸: 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 𝗔𝗯𝘂𝘀𝗲, 𝗗𝗲𝗹𝗮𝘆𝗲𝗱 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝗥𝗔𝗧 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲.
We caught a two-component Rust-based RAT toolkit we're calling #SpankRAT. Because C2 traffic originates from legitimate system processes, 𝘁𝗵𝗶𝘀 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗰𝗮𝗻 𝗯𝘆𝗽𝗮𝘀𝘀 𝗿𝗲𝗽𝘂𝘁𝗮𝘁𝗶𝗼𝗻-𝗯𝗮𝘀𝗲𝗱 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝗮𝗻𝗱 𝗯𝗲 𝗱𝗲𝗽𝗿𝗶𝗼𝗿𝗶𝘁𝗶𝘇𝗲𝗱 𝗱𝘂𝗿𝗶𝗻𝗴 𝘁𝗿𝗶𝗮𝗴𝗲, reducing SOC visibility and increasing the risk of missed compromise. As a result, attackers gain stealthy persistence and hands-on control within the environment ⚠️
❗️ At the time of analysis, most samples remain undetected on VirusTotal.

⚡️ Behavioral analysis is essential for detecting threats like this. #ANYRUN Sandbox reveals the full execution chain, injection activity, C2 communication, and privilege escalation in real time, helping teams confirm malicious activity faster when traditional detection fails.

1️⃣ The attack starts with 𝗦𝗽𝗮𝗻𝗸𝗟𝗼𝗮𝗱𝗲𝗿, a lightweight loader that retrieves the main payload from C2 over plain HTTP, escalates privileges, and injects it into 𝗲𝘅𝗽𝗹𝗼𝗿𝗲𝗿.𝗲𝘅𝗲 using classic DLL injection, establishing persistence via a Scheduled Task.

2️⃣ Once loaded inside explorer.exe, 𝗦𝗽𝗮𝗻𝗸𝗥𝗔𝗧 communicates with C2 over WebSocket and provides full remote access to the system. The full-featured variant supports 𝟭𝟴 𝘀𝗲𝗿𝘃𝗲𝗿 𝗰𝗼𝗺𝗺𝗮𝗻𝗱𝘀 covering remote shell execution, file management (list/read/upload/delete/rename), process enumeration and killing, Windows service control (start/stop/restart), full registry CRUD, scheduled task manipulation, and software inventory.

🔗 Execution chain:
SpankLoader ➡️ Download from C2 ➡️ Drop DLL to C:\ProgramData\ ➡️ SeDebugPrivilege ➡️ DLL injection into explorer.exe ➡️ Scheduled Task (persistence) ➡️ SpankRAT ➡️ WebSocket C2 ➡️ RAT 🚨

𝗙𝗶𝗻𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗖𝟮 𝗰𝗼𝗺𝗺𝗮𝗻𝗱 𝘀𝗲𝘁 𝗮𝗻𝗱 𝗜𝗢𝗖𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 📌

👨‍💻 See the analysis session: https://app.any.run/tasks/56306614-e569-4ace-a9ce-b27c3b983618/?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktoservice&utm_term=160426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktotilookup&utm_term=160426#%7B%22query%22:%22url:%5C%22*/download/rmm_agent.dll*%5C%22%22,%22dateRange%22:60%7D

🚀 Strengthen your SOC, detect complex threats faster, and boost team performance with #ANYRUN: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=spankrat_analysis&utm_content=linktoenterprise&utm_term=160426

#cybersecurity #infosec

🌃 What keeps Healthcare CISOs up at night? The gap between detection & response

#ANYRUN fits mature SOC operations, unifying detection, enrichment, and reporting to contain incidents before they impact patient care

⚡️ Streamline your team's workflows: https://any.run/by-industry/healthcare/?utm_source=mastodon&utm_medium=post&utm_campaign=healthcare&utm_content=linktohealthcare&utm_term=160426

⚡️ #ANYRUN is built for modern SOC operations: a unified workflow from monitoring to response, and the ability to scale across enterprise SOCs and MSSPs. Hear our CCO’s perspective 🎥

Achieve more with #ANYRUN. Integrate for your team: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=CDM_interview&utm_content=linktoenterprise&utm_term=150426

SOC workflows remain reactive, with validation and analysis spread across environments, delaying detection and response ❗️

Integrating #ANYRUN with IBM QRadar SOAR brings investigation steps into one process. Set up proactive security in a few clicks:
https://any.run/cybersecurity-blog/ibm-qradar-soar-anyrun-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=anyrun_ibm_qradar_soar_integration&utm_content=linktoblog&utm_term=150426

🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

❗️ MSSP growth brings higher alert volume and stricter SLAs.

Unifying detection, enrichment, and reporting with #ANYRUN helps teams support more clients while keeping service quality consistent ⚡️

Explore how #ANYRUN strengthens MSSP growth at scale: https://any.run/mssp/?utm_source=mastodon&utm_medium=post&utm_campaign=mssp_growth&utm_term=080426&utm_content=linktomssplanding

⏳ Every minute without execution context increases dwell time and business risk.

Integrate #ANYRUN into your current stack to reduce MTTR by 21 min per case and cut Tier 1 workload by up to 20%.

⚡️ Close the gap between detection and decision-making: https://any.run/integrations/?utm_source=mastodon&utm_medium=post&utm_campaign=all_integrations_connectors&utm_term=070426&utm_content=linktointegrations

⚠️ Encrypted HTTPS traffic remains one of the main reasons #phishing is harder to confirm quickly. Automatic SSL decryption significantly expands visibility in every #ANYRUN Sandbox session. See real-world examples:
🔹 #EvilTokens. Decrypted traffic exposed hidden HTTPS API calls behind the OAuth Device Code phishing flow, revealing session control and attacker infrastructure: https://app.any.run/tasks/2e8014a8-a90a-41bf-90fa-aa65da40fd20/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

🔹#FlowerStorm. SSL decryption enabled early detection of this phishkit via POST requests to /google.php at initial page load, before any user interaction or data entry: https://app.any.run/tasks/25694db7-2771-480c-9ff0-773e399331d6/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

🔹 Phishing via Telegram API. Decrypted traffic revealed data exfiltration through the Telegram Bot API, helping identify localized campaigns via encrypted traffic patterns: https://app.any.run/tasks/49484bb5-28ec-44ca-835a-9b3235bd6419/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoservice

⚡️ Reduce phishing risk across your organization. Integrate #ANYRUN into your SOC’s triage & response workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=ssl_decryption_examples&utm_term=020426&utm_content=linktoenterpriselanding

#cybersecurity #infosec

🚑 Limited context during analysis slowed triage and response at Health Shared Services, a healthcare organization supporting 130K+ endpoints

⚡️ See how #ANYRUN changed their SOC workflow and allowed analysts to handle real threats with lower MTTR/MTTD: https://any.run/cybersecurity-blog/healthcare-success-story/?utm_source=mastodon&utm_medium=post&utm_campaign=healthcare_success_story&utm_term=020426&utm_content=linktoblog

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec