Over the past few weeks, the ANY.RUN team joined Infosecurity Europe in London, CONFidence Conference in Kraków, and C1b3rWall Congress in Ávila. While every event had its own focus, the discussions pointed in the same direction: security teams need faster investigations, clearer evidence, and more confidence in every response decision. 

Infosecurity Europe 2026: From Alerts to Business Outcomes 

Infosecurity Europe was the biggest stop of our conference season. Over three days in London, the ANY.RUN team met with CISOs, SOC leaders, and MSSP teams to discuss the challenges shaping security operations today. 

One thing was hard to miss: the conversation has moved beyond alert volumes and technical metrics. 

Security leaders are under growing pressure to show how SOC performance supports the wider business. Boards do not simply want to know how many alerts were reviewed or how quickly a case was closed. They want to understand whether threats are identified early, whether risks are clearly assessed, and whether the team can act before an incident affects operations. 

Three priorities came up repeatedly during our conversations: 

From Alerts to Outcomes 

MTTR still matters, but the number alone does not tell the full story. Security teams need enough context to understand the impact of a threat, prioritize the right cases, and explain their decisions clearly. 

Behavioral analysis plays an important role here. By investigating suspicious files and URLs inside an interactive environment, teams can see how a threat behaves in real time and gather the evidence needed for a more confident response. 

Intelligence Where the Work Happens 

Security teams are not looking for another disconnected platform that adds extra steps to an already complex process. 

They want fresh threat intelligence and investigation-backed insights inside the tools they already use, including SIEM, SOAR, and EDR platforms. This helps teams move from detection to investigation and response without losing time switching between separate systems. 

Resilience Over Headcount 

Growing alert volumes cannot always be solved by growing the team. 

SOC leaders are looking for ways to make existing workflows more effective: reducing manual work, giving teams clearer evidence, and helping junior specialists handle routine investigations with greater confidence.

The goal is not simply to process more alerts. It is to build a more resilient SOC that can make consistent decisions even when the pressure rises. 

Infosecurity Europe was a valuable opportunity to discuss these priorities directly with the cybersecurity community and explore how behavioral visibility and live threat intelligence can support faster, clearer, and more reliable investigations. 

CONFidence Conference 2026: Practical Conversations with the Security Community 

Our next stop was CONFidence Conference in Kraków, where we joined cybersecurity professionals for two days of technical discussions, live demos, and conversations about the realities of modern threat investigation. 

Many of the challenges were familiar: rising alert volumes, increasingly sophisticated phishing campaigns, and the need to investigate threats faster without adding more pressure to already busy teams. 

At the ANY.RUN stand, visitors explored how behavioral visibility, investigation-backed threat intelligence, and cross-platform detection coverage can help SOCs and MSSPs analyze malware and phishing more consistently. 

But choosing the right security solution is not only about detection capabilities. Teams also need to know how they fit into their wider security environment: how sensitive data is handled, whether it supports controlled workflows, and whether the provider has the experience needed to support critical investigations. 

These questions matter even more for organizations operating in regulated industries, where security tools need to support effective threat response while meeting strict internal compliance requirements. 

This is an area ANY.RUN has continued to strengthen throughout its 10 years in cybersecurity. Today, our malware analysis and threat intelligence solutions are used by more than 15,000 organizations worldwide, including 74 of the Fortune 100 companies. ANY.RUN is also SOC 2 Type II attested, reflecting our commitment to strong security controls and careful handling of customer data. 

C1b3rWall Congress 2026: Exploring Ransomware Analysis in Action 

Our final stop was C1b3rWall Congress in Ávila, where cybersecurity professionals from both the public and private sectors gathered at the National Police School to discuss the threats shaping today’s security landscape. 

The event gave us a chance to look more closely at one of the most pressing challenges for security teams: ransomware. 

During our session, we demonstrated how ransomware can be analyzed inside ANY.RUN’s Interactive Sandbox and showed how interactive analysis helps teams move beyond a basic verdict.

Instead of simply confirming that a file is malicious, teams can observe how the attack unfolds in real time, identify suspicious processes, examine network activity, and understand the sequence of actions behind the threat. 

This kind of visibility is especially valuable when every decision matters. It gives security teams the context they need to assess risk faster, document their findings, and respond with greater confidence. 

C1b3rWall was also a valuable opportunity to connect with professionals working across different sectors and discuss how clearer behavioral evidence can support stronger, more reliable investigations.

 What Comes Next 

These events gave us the opportunity to connect with security professionals across Europe, exchange ideas, and discuss the challenges teams are facing today. 

The message was clear: faster investigations matter, but so do visibility, trust, and control. Security teams need solutions that help them act with confidence, even when the pressure is high. 

These conversations will continue to shape how we develop ANY.RUN and support SOCs and MSSPs worldwide. 

Thank you to everyone who stopped by, shared their experience, and joined the discussion. See you at the next events. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior, and collect clear evidence for response without maintaining complex in-house infrastructure.

ANY.RUN’s Threat Intelligence solutions also help organizations uncover deeper threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger threat response, and more efficient security operations at scale.

The post From Infosecurity Europe to CONFidence and C1b3rWall: What Security Teams Are Prioritizing in 2026 appeared first on ANY.RUN's Cybersecurity Blog.

The challenge is not that analysts lack skill. Most hunting teams are sharp, methodical, and deeply familiar with attacker playbooks. The real friction is structural: the intelligence feeding hunts is often stale, decontextualized, or missing the behavioral granularity needed to write anything more than a broad, noisy detection. 

MITRE ATT&CK tells you a technique exists. It does not tell you how it behaves in a real attack chain against a real target. That gap between abstract TTP and concrete execution behavior is where many hunts quietly die. IOCs arrive stripped of context: you block an IP, a rotated domain from the same campaign lands in your environment three days later, and sails straight through.  

And then there is the false-positive problem. Not a technical inconvenience but a morale and process killer. Every alert that turns out to be Outlook talking to a Microsoft licensing server erodes confidence in the detection pipeline. Over-tuned rules miss real threats; under-tuned rules train analysts to discount the queue. 

In this article, we’ll explore how threat intelligence supports core hunting workflows and how ANY.RUN’s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence. 

Key Takeaways

• Threat hunting fails structurally, not skillfully. The bottleneck is intelligence quality.
• Behavioral context beats indicators. A single IOC blocked solves nothing if the campaign behind it isn’t understood. Pivoting from one artifact — a mutex, a file path, a Suricata tag — into a full attack chain is what separates hunting from blocklisting.
• Hypothesis validation requires real attack data. ATT&CK describes techniques in the abstract. Effective hunting needs to know how a technique behaves in live, active campaigns — which tools operationalize it, what infrastructure it touches, what artifacts it leaves.
• False positives are a strategy problem, not just a noise problem. Every low-fidelity alert that consumes analyst attention is a detection that wasn’t built right. Validating rules against real samples before deployment is the difference between a detection pipeline and a distraction pipeline.
• Intelligence layers serve different operational needs. TI Lookup drives active investigations; TI Feeds keep automated defenses current; TI Reports bridge the gap between raw campaign data and detection engineering or executive briefings.
• AI-assisted triage is a force multiplier, not a replacement. Tier 1 reports, AI summaries, and sandbox recommendations don’t replace analyst judgment — they eliminate the translation work between analysis output and operational action, freeing analysts for work that actually requires them.
• Hunting ROI is measurable — if you instrument it correctly. Earlier detection, defense calibrated to active threats, and analyst time redirected to genuine risk: each is quantifiable. Programs that cannot demonstrate these outcomes don’t lack value — they lack the intelligence infrastructure to produce it consistently.

1. Hypothesis Validation: Device Code Phishing

Scenario: A hunter develops a hypothesis: adversaries may be abusing Microsoft’s Device Code authentication flow to compromise organizational accounts without triggering MFA. The technique is real, but the team needs evidence it is active now and a way to identify the behavioral signatures that distinguish attacks from legitimate device authorization. 
 
The struggle: Generic queries against authentication logs produce enormous volume. Without knowing what a malicious device code flow actually looks like in practice — which referrer domains initiate the redirect, which PhaaS kits are operationalizing the technique, what the email delivery chain looks like — the team is essentially querying blind. 

The solution: TI Lookup allows the hunter to query the Microsoft device auth endpoint directly and immediately retrieve sandboxed sessions where the technique is observed in the wild. 
 
url:”https://login.microsoftonline.com/common/oauth2/deviceauth?code=*” 

Sessions are tagged automatically: Phishing, oauth-ms-phish, and kit-specific tags like Kali365 (a PhaaS platform specializing in Device Code Phishing). 

We can view any of the analyses sessions, for example: https://app.any.run/tasks/fc973b26-7cc8-4253-a313-1b77ff27f04c/  

The hunter can inspect the full referrer chain: 

In live cases, the redirect to Microsoft’s legitimate device auth endpoint originates from external domains, including those with unusual TLDs. 

Subsequent queries can filter by TLD against the device code URL, giving the team a concrete list of suspicious referring domains to feed into SIEM monitoring or block lists. 

url:”https://login.microsoftonline.com/common/oauth2/deviceauth” and domainName:”.de$” 

For more targeted investigation, the hunter can also query by threat name and file path to retrieve the actual phishing emails (.eml files) used to deliver the initial lure, exposing sender patterns, subject line templates, and infrastructure metadata. 

Impact: 

• Hypothesis validated against real, live attack data rather than technique abstractions. 
• Concrete IOCs and behavioral signatures ready for SIEM query development. 
• Email metadata exposed for deeper organizational log correlation. 

2. Behavioral Pivots: Tracking a Stealer Family via Mutex 

Scenario: A suspicious executable is submitted for analysis and identified as a stealer. The analyst notices a mutex with a hardcoded prefix — Global\EVOLUTION — followed by a randomized suffix. The question is whether this prefix is unique to this malware family and, if so, how widely deployed it is. 
 
The struggle: A mutex with a random suffix has no stable IOC value. Standard threat feeds will not carry it. Searching for the full string is guaranteed to miss variants. The behavioral pattern is clearly significant but there is no obvious path from a single sample to campaign-level coverage. 

The solution: A wildcard query in TI Lookup (syncObjectName:”Global\\EVOLUTION*”) immediately surfaces a number of additional samples sharing the same hardcoded prefix with different randomized tails, confirming the pattern is not incidental but a structural artifact of this malware family. 

Cross-referencing the mutex results against file path artifacts reveals that affected systems consistently produce a dump archive at C:\Users\admin\AppData\Local\Temp\evo_[random]\stolen.zip — a second independent behavioral indicator that definitely looks like a stealer.  

Running OR and AND lookup combinations of both indicators allows the hunter to tune coverage: OR for maximum reach, AND for high-confidence, low-noise detections:

• filePath:”C:\Users\admin\AppData\Local\Temp\evo_\stolen.zip” OR syncObjectName:”Global\EVOLUTION”
• filePath:”C:\\Users\\admin\\AppData\\Local\\Temp\\evo_*\\stolen.zip” AND syncObjectName:”Global\\EVOLUTION*” 

Starting from a single mutex observation, the hunter has now built a multi-indicator behavioral profile of an entire malware family. 

Impact:  

• Single behavioral artifact expands into full campaign coverage. 
• Multi-indicator detection logic developed and validated before touching production systems. 
• No reliance on stable IOCs — detection survives malware updates. 

3. Enrichment: Suspicious Domain in an Inbound Email 

Scenario: An email from an unknown sender arrives containing a link to an unfamiliar domain. Standard policy would flag this for review. The analyst needs to determine quickly whether the domain is genuinely malicious or simply unknown, and if malicious, what the full attack chain looks like. 

The struggle: WHOIS data shows the domain is recently registered. Passive DNS shows limited history. Reputation feeds return no verdict. The analyst has a suspicious domain but no behavioral context — no sense of what the domain delivers, what it steals, or what infrastructure it connects to. 

The solution: The domain search in TI Lookup returns sandbox sessions where the domain has been analyzed. 

domainName:”miracleplayssystems.com” 

The hunter opens one and immediately sees a Microsoft 365 login page clone hosted on the suspicious domain, automatically tagged by ANY.RUN.  

Suricata network threat detections reveal the specific phishing kit — FlowerStorm.

The rule details expose the exfiltration endpoint:  

HTTP tab features a separate domain to which stolen credentials are posted:  

The HTTP traffic view makes the data flow explicit: M365 credentials submitted to the fake login page are forwarded to infrastructure the attacker controls, not to any Microsoft domain.  

This gives the analyst not just a verdict but a full attack chain — delivery domain, phishing kit identity, exfiltration endpoint — all from a single lookup. 

Impact:  

• Unknown domain enriched with full attack chain in minutes. 
• Exfiltration infrastructure identified and added to block lists proactively. 
• Phishing kit attribution enables broader campaign hunting. 

4. Expansion: LOLBin Abuse and Campaign Attribution 

Scenario: An alert fires: MSBuild.exe — a standard Microsoft .NET build component — is establishing a network connection to an unknown IP on a non-standard port. This is a textbook living-off-the-land technique, but the specific context (which campaign, which malware family, how widespread) is unknown. 
 
The struggle: MSBuild.exe connecting outbound is not inherently malicious; it is used legitimately in CI/CD pipelines. The challenge is distinguishing targeted abuse from normal build activity and understanding whether the destination IP is part of a broader campaign or an isolated incident. 

The solution: Combining the destination IP with the MSBuild.exe command-line pattern in a TI Lookup query surfaces sessions where the same combination has been observed. 

destinationIP:”212.34.141.103″ and commandLine:”C:\\Windows\\Microsoft.NET\\Framework64\\v*\\MSBuild.exe” 

Opening a representative session shows MSBuild.exe establishing a C2 connection and exfiltrating host reconnaissance data — CPU, OS version, running processes:  

The Processes tab in the sandbox shows what user data gets exfiltrated:

A vendor-specific detection tag (rmrlx) links this activity to a named malware family: 

threatName:”rmrlx” 

Pivoting on that tag reveals associated infrastructure across multiple IP addresses and exposes the threat actor group responsible — Colombian Smugglers — which uses SVG smuggling as a delivery mechanism and has evolved from targeting Colombian organizations to targeting US and European companies. The hunter can now see the full threat actor profile: initial delivery technique (SVG smuggling), malware families used (vjw0rm, quasar, remcos, xworm, rmrlx), geographic targeting, and infrastructure overlap with adjacent groups like BlindEagle. 

threatName:”colombian-smugglers” 

Use this TI Lookup request to find sandbox analyses exposing SVG smuggling technique:  

threatName:”colombian-smugglers” and filePath:”.svg$” 

Impact: 

• Single alert pivots into full threat actor profile and campaign map. 
• Infrastructure correlation surfaces additional C2 endpoints for blocking. 
• Geographic and targeting intelligence enables prioritized defensive response. 

5. False Positive Validation: Hunting Rule Noise Reduction 

Scenario: ANY.RUN’s hunting rules include a signature that fires when a Windows PC hostname is observed being transmitted in network traffic — a behavior common to stealers and RATs that use hostname as a victim identifier.  

suricataMessage:”HUNTING [ANY.RUN] Windows PC hostname observed” 

The rule catches real threats, but the analyst needs to verify that every hit is genuinely malicious before adding it to production detection. 

The struggle: Hunting rules cast wide nets by design. A rule targeting hostname exfiltration will fire on legitimate software that also transmits device identifiers. Without behavioral context, distinguishing malicious exfiltration from legitimate telemetry requires manual investigation of every hit. 

The solution: Let’s view one of the found sandbox analyses: https://app.any.run/tasks/56e01444-87a2-4cf4-874a-41e56ce60221/ 

The analyst sees the Suricata alert firing on Outlook.exe, but the destination is licensing.m365.svc.cloud.microsoft, a legitimate Microsoft licensing endpoint.  

The HTTP details confirm the behavior: Outlook is sending device and license metadata as part of a standard Office perpetual license renewal (renewperpetuallicense), and the server responds with a 200 OK confirming the HomeBusiness2021Retail license status. This is unambiguously legitimate. The analyst documents this as a known false-positive pattern and adds an exclusion for Microsoft licensing endpoints — keeping the rule sharp without discarding it. 

Impact:  

• False positive identified and documented before reaching production. 
• Detection logic refined without reducing coverage of genuine threats. 
• Analyst time focused on confirmed malicious activity. 

6. Detection Engineering: YARA Rule Development and Validation 

Scenario: During stealer sample collection, an analyst encounters a .NET executable that drops a zip archive named with a consistent pattern: Unix-[HOSTNAME]-[ID].zip. The behavioral artifact is interesting but the analyst wants to build a durable, validated detection rule, not just add a file path indicator that will break when the malware author changes the naming convention. 

The struggle: Writing YARA rules against behavioral artifacts requires understanding what strings are genuinely hardcoded into the binary versus what is generated at runtime. Testing rules against a small sample set risks both false positives from broad string matches and false negatives from a sample set too small to represent the full malware family. 

The solution: Static analysis of the .NET binary in Detect It Easy reveals human-readable strings embedded in the assembly — a common characteristic of .NET malware.  

Filtering for strings containing “Unix” surfaces several hardcoded identifiers specific for this malware:  

• Unix Stealer Log 
• UnixStealer 
• UnixStealerIV!@# 
• UnixStealer2024Key! 

A YARA rule built around these strings uses wide matching for Unicode-encoded strings and fullword to minimize false positives.  

rule UnixStealer { 

    meta: 

        description = "Detects UnixStealer malware" 

        date = "2025-12-18" 

        author = "ANY.RUN:A.Adhikara" 

    strings: 

        $x1 = "Unix Stealer Log" fullword wide 

        $x2 = "UnixStealer" fullword 

        $x3 = "UnixStealerIV!@#" fullword wide 

        $x4 = "UnixStealer2024Key" fullword wide 

    condition: 

        uint16(0) == 0x5A4D and any of ($x*) 

}

Running the rule through TI Lookup’s YARA Search validates it against millions of real malware samples — returning 17 matching samples with no unrelated hits.  

Noticing that the year is hardcoded in one string, the analyst refines it to a regex pattern (/UnixStealer20\d{2}Key/ wide) to ensure the rule covers future builds where the author updates the year.  

Re-validation against the corpus confirms the refined rule catches the same 17 samples and introduces no new noise. 

Impact:  

• YARA rule validated against millions of real samples before deployment. 
• Rule designed to survive malware version updates through regex generalization. 
• Detection shipped with high confidence — no post-deployment tuning required. 

How Threat Intelligence Feeds Support Threat Hunting 

WhileTI  Lookup excels at interactive investigations, Threat Intelligence Feeds help operationalize hunting at scale. 

Threat Intelligence Feeds can be integrated directly into SIEM, EDR, XDR, SOAR, firewalls, and other security platforms, providing continuously updated indicators and threat context. 

For threat hunters, this supports several key workflows: 

• Prioritizing investigations involving known malicious infrastructure. 
• Correlating internal telemetry with active attacker infrastructure. 
• Identifying emerging campaigns before internal detections trigger. 
• Automating enrichment during hunts. 
• Reducing manual IOC collection and maintenance. 

By continuously injecting fresh intelligence into security tooling, feeds allow hunting teams to focus on analysis rather than data gathering. 

Accelerating Hunts with Sandbox Intelligence 

ANY.RUN’s Interactive Sandbox provides additional capabilities that reduce investigation time and improve analyst productivity. 

Tier 1 Reports 

Tier 1 Reports automatically summarize malware behavior in analyst-friendly language, making it easier for junior and mid-level analysts to understand threats without spending significant time reviewing every artifact manually. 

This helps SOC teams rapidly assess suspicious files and decide whether deeper hunting activities are necessary. 

AI Summary 

AI Summary condenses complex malware executions into concise narratives, highlighting the most important findings, suspicious behaviors, and attack stages. Hunters can quickly understand what happened during execution before diving into technical details. 

AI Recommendations 

AI Recommendations suggest potential next steps for investigation, including relevant artifacts, indicators, and behaviors worth examining further. This helps analysts identify additional hunting opportunities and reduces the likelihood of missing important evidence. 

Why Threat Hunting Matters to the Business 

Threat hunting is often discussed as a purely technical discipline, but its ultimate purpose is business protection. Organizations invest in hunting because reactive security alone is no longer sufficient. Modern attackers frequently evade automated detections, abuse legitimate tools, and remain hidden for extended periods. 

However, threat hunting itself introduces operational challenges: 

• Significant analyst time requirements. 
• Skill shortages. 
• Investigation fatigue. 
• High volumes of telemetry. 
• Difficulty prioritizing hunting activities. 
• Challenges demonstrating measurable business value. 

Without proper intelligence support, threat hunting can become expensive and inefficient. Threat intelligence helps address these challenges by reducing investigation time, improving prioritization, increasing analyst productivity, and enabling teams to focus on the threats that matter most to the business. 

The result is faster threat discovery, reduced dwell time, lower incident response costs, and improved resilience against advanced attacks. 

For MSSPs, intelligence-driven hunting also enables more scalable operations, allowing analysts to investigate more environments without proportionally increasing staffing requirements. 

Conclusion 

Threat hunting is no longer about manually searching through massive volumes of logs and hoping to uncover something suspicious. 

Successful hunting depends on context. 

Threat intelligence provides that context by connecting indicators, behaviors, infrastructure, malware families, campaigns, and threat actors into a coherent picture. It transforms hunting from a reactive research exercise into a focused, intelligence-driven process. 

With Threat Intelligence Lookup, Threat Intelligence Feeds, Threat Intelligence Reports, YARA Search, and AI-assisted analysis capabilities, SOC teams can validate hypotheses, enrich investigations, expand discoveries, improve detections, and reduce time spent on manual research. 

The result is a threat hunting program that is faster, more scalable, and more closely aligned with both security and business objectives. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure. 

ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale. 

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.

Scale your SOC with faster threat validation →

FAQ

The post Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss appeared first on ANY.RUN's Cybersecurity Blog.

We sat down with Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, to discuss how ANY.RUN’s solutions help their team scale triage, prevent incidents, and achieve consistent security risk reduction.

Lean Team, Broad Responsibility  

UMass Boston operates as a premier R1 research university with a digital footprint encompassing a population of over 50,000 students, faculty, and staff.   

The core security operations team tasked with defending this environment is remarkably compact, consisting of only three specialists and the SISO. Because of this lean staffing model, the team utilizes a cross-pollination strategy where each member manages various roles, including endpoint security, threat hunting, and threat management.   

This small group of professionals carries the primary responsibility for the entire institution’s digital safety.   

The Challenge of Balancing Threat Response and Infrastructure Overhead  

Before adopting a cloud-based sandbox, the team was under constant operational pressure to keep up with incoming threats while maintaining speed and accuracy in triage.  

At the time, their setup included an internal detection lab for threat analysis and validation. Yet, managing physical space, equipment, software licensing, and constant updates for an in-house environment pulled limited team resources away from active security operations.   

The recent departure of two team members further increased this strain, making it difficult to balance infrastructure maintenance with the daily requirement to fight incoming threats.

The university needed more than a safe, secluded environment to test and validate malware without risking the production network. It needed a way to support faster triage, consistent threat validation, and real-time decision-making as part of everyday SOC workflows, without adding operational overhead.  

Introducing ANY.RUN’s Sandbox into the Security Loop  

Integration of the Interactive Sandbox was a necessity driven by the critical goal to support faster and more scalable threat validation. The team also needed to teach students in the SOC, within a safe, secluded environment that would not put the institution’s production network at risk.  

The university integrated ANY.RUN’s solution as a behavioral validation layer within their defense stack alongside Microsoft Defender and Abnormal Security.  

The solution was easy to set up and fit into the team’s existing workflows without disruption.  

Instead of spending time maintaining their own lab, the team now had a ready-to-use, air-gapped environment for analyzing malicious content at scale. This provided immediate operational value, freeing up time, and allowing the SOC to focus on detecting and responding to critical threats more efficiently.   

Scaling Detection and Speeding up Triage with the Same Team  

At UMass Boston, the ANY.RUN sandbox now acts as a central component of the daily triage process for the phishing and abuse of mailboxes.   

By utilizing ANY.RUN’s API integration with Abnormal, the team automatically sends suspicious emails, links, and attachments for analysis at the click of a button, removing manual steps and standardizing the triage process.   

Where previously analysts relied on incomplete signals, they now have a visual confirmation of threats’ behavior.   

The automation transformed how quickly detection and verification happen, reducing the time required to analyze and get conclusive verdicts on suspicious submissions.   

Faster, evidence-based triage reduced uncertainty, stabilized operations, and ensured that real threats are identified and handled without delay.   

As a result, the team can make confident security decisions at speed and scale, allowing them to process higher volumes of alerts without increasing the headcount or sacrificing decision quality.  

Preventing a Phishing Incident Missed by Email Filters  

The effectiveness of the team’s sandbox-based defense was demonstrated during a mass email campaign that occurred just before Christmas in 2025, a holiday period when attack volume increases and users are more likely to engage with incoming emails.   

Despite having established email security controls in place, the attack passed through primary filters undetected. This is exactly where most organizations become exposed, as missed threats can lead to incidents without a sandbox layer in place.  

Instead of relying on the initial verdict, the team escalated the suspicious emails through their sandbox workflow. Using the API integration, they detonated the content and observed its behavior in a controlled environment.  

This analysis revealed that the email was a sophisticated phishing scam hosted through Google.  

The combination of a proactive team and immediate access to sandbox capabilities allowed UMass Boston to validate the threat, make a confident decision, and contain it before it reached users.  

Without this step, the attack could have resulted in credential theft and unauthorized access to internal systems, putting users, research continuity, and institutional trust at risk.

Reducing Risk in Access Control  

Beyond email security, ANY.RUN’s solution helps the team manage internal requests regarding blocked websites. When students or staff encounter a firewall block, the security team uses the sandbox to determine if a site is truly malicious or merely misclassified.   

This visual verification allows them to see if a legitimate website has been hijacked to serve malware, providing the analytics needed to make accurate access decisions. The team confidently requests re-categorization from their firewall vendor based on observed behavior.  

With ANY.RUN, access decisions have become faster and more defensible. Analysts have concrete behavioral evidence to support allow or block actions, reducing unnecessary restrictions for users while maintaining security.  

Meeting Compliance and Cyber Insurance Requirements  

UMass Boston operates under frequent state audits that require detailed evidence of security processes. These are directly tied to regulations such as FERPA, which governs the protection of student data, and the Massachusetts Data Security Law, which mandates safeguards around personal information and access control.  

Modern auditors demand documented artifacts and evidence of how the university manages security. ANY.RUN’s sandbox gives the team this proof. Each analysis shows what the threat does, making it easier to explain decisions and demonstrate how incidents are handled.  

Having a dedicated sandbox environment is also a mandatory requirement for many cyber insurance brokers to maintain coverage. Adopting the solution allowed the university to fill a previous gap in their compliance posture and meet these rigorous insurance standards. 

A Practical Model for Teams Facing Similar Challenges

The security model developed at UMass Boston is starting to extend beyond a single campus, particularly among teams operating with similar staffing constraints. The team regularly shares real cases and demos with other SISOs and security teams, including peers at Bridgewater State University.   

For teams with limited resources, the sandbox-driven approach provides a way to handle more threats without increasing headcount, while lowering the risk of missed or misclassified incidents.  

Conclusion  

The UMass Boston case highlights how a lean team can successfully defend a massive research institution by relying on a multi-layered “mesh approach” in security and powering it with effective solutions like ANY.RUN’s Interactive Sandbox.  

We would like to thank the University of Massachusetts Boston for allowing us an inside look at their security operations. We are especially grateful to Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, for sharing their time and professional insights.    

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure. 

ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale. 

Scale your SOC with faster threat validation →

The post Protecting 50,000 Users: How ANY.RUN Drives Incident Prevention at UMass Boston appeared first on ANY.RUN's Cybersecurity Blog.

Why ANY.RUN’s Momentum Leader Title Matters for Your Team 

G2 awards the Momentum Leader spot to companies that show high growth and strong market resonance. They calculate this score by looking at real customer feedback and how quickly teams are adopting the solution. 

Modern SOCs often deal with high alert volumes and evasive attacks that beat traditional defenses. The ranking shows that more security teams are choosing ANY.RUN as a better way to respond to these challenges and detect malware & phishing early.  

When an analyst can clearly see what a suspicious file or link is doing in real-time, they stop guessing and start taking action. This speed directly improves both security metrics like MTTR and overall business security, helping prevent incidents, downtime, and financial losses. 

Building Strong Relationships Through Usability 

G2 also awarded ANY.RUN with the title of a #1 Malware Analysis Vendor in the Relationship Index, demonstrating customers’ high regard for our products’ usability, support, and overall reliability over time. 

As noted by ANY.RUN CEO, we aim to provide “a burnout-free environment SOC teams actually want to return to”. Recognition by G2 shows that we deliver on our vision by creating a consistent experience for everyone on the client’s team: 

• Tier 1 analysts use ANY.RUN’s products to reach accurate threat verdicts faster. 

• Tier 2/3 professionals save time on routine tasks so they can focus on deep, complex investigations. 

• CISOs, Heads of SOC, and other security leaders see more stable performance across different shifts and a significant risk reduction for the company. 

Stronger Results for Modern Security Operations 

When SOC and MSSP teams use ANY.RUN’s malware analysis & threat intelligence solutions, they get full context on files, URLs, IOCs, IOAs, and IOBs for fast and confident decisions. 

The clarity ANY.RUN provides, reduces uncertainty and leads to measurable improvements in security posture: 

• Accelerated Triage and Detection: Direct observation lets teams move from uncertainty to action fast, lowering investigation time and operational costs. 

• Immediate Confirmation of Business Exposure: Instant visibility helps leaders understand threat impact earlier and prevent successful breaches. 

• Enhanced SOC Efficiency and Stability: ANY.RUN supports decision-making across tiers, enabling consistent quality of investigations and reduced operational friction. 

• Comprehensive Multi-Platform Analysis: Broad visibility across Windows, macOS, Linux, and Android environments provides the exact execution context needed for precise, enterprise-scale incident response. 

• Secure and Controlled Investigations: Private analysis, SSO, and team-based access let teams collaborate within shared workflows without compromising investigation security. 

Conclusion 

At the end of the day, a successful SOC needs three things: speed, clarity, and consistency. The recognition from G2 confirms that ANY.RUN empowers teams to achieve those goals.  

We help SOC professionals understand threats earlier and make confident decisions even under pressure. We are excited to keep building solutions that reduce risk and make security operations more efficient. 

About ANY.RUN 

ANY.RUN develops cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows. The company’s mission is to deliver fast threat understanding and confident incident response. 

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.  

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection. 

The post Leader in Malware Analysis: ANY.RUN Named Top Vendor in G2 Summer 2026 Awards appeared first on ANY.RUN's Cybersecurity Blog.

It covers trending malware families, TTPs, and other technical observations, while also delivering executive insights CISOs and SOC teams can use to connect attacker behavior to business risk. 

Combining data-backed malware trends with strategic guidance for security leaders, the report reveals critical gaps in detection, response, and visibility that directly impact business resilience, and outlines solutions organizations can use in their defense strategy. 

Explore the full report to discover seven key cyber risk trends, their strategic implications, and the security priorities organizations should consider for Q2 2026. 

Q1 2026 Cyber Risk Report

Discover top trends shaping the modern threat landscape:

• +14.7% increase in credential theft
• +98.3% growth in loader-based attacks
• +58.4% rise in LOLBAS low-noise attacks

Get FREE report

What the Data Shows 

• Early-stage compromise is an overlooked risk: Loader-based attacks nearly doubled, highlighting the expanding role of these tools used for initial compromise in organizations. 

• Identity remains a primary target: A 14.7% increase in credential theft activity shows that attackers prioritize gaining valid credentials that allow them to operate in a low-noise way. 

• Trusted tools are increasingly weaponized: For instance, LOLBAS attacks leveraging JavaScript rose by 58.4%. 

• Detection and attribution are becoming more challenging: The growing popularity of credential abuse and trusted tool exploitation makes behavior-based monitoring and anomaly investigation increasingly important. 

The full report expands these and other threat intelligence insights, including trending malware families and attack vectors, as well as the evolving nature of modern cyber risk and its strategic implications for Q2 2026, supported by data and actionable recommendations. 

The Growing Cost of Delayed Response 

One of the clearest messages from ANY.RUN’s Q1 2026 Cyber Risk report is that defenders have less time than ever to detect and respond. 

Median times such as 21 seconds to persistence establishment and 16 seconds to Living-off-the-Land (LOTL) execution using native system tools prove that the window between initial compromise and attackers foothold continues to shrink. 

In this environment, speed and certainty in investigations become a key advantage for security teams. Establishing early threat detection and rapid investigation flow is what allows successful SOCs to act before incidents escalate to financial impact. 

This is where enterprise-scale malware analysis and threat intelligence solutions become critical. By providing faster visibility into attack behavior, the help reduce investigation time, accelerate decision-making, and ultimately limit the business impact of security incidentsthrough early detection and response. 

Give Your SOC the Threat Visibility It Needs with ANY.RUN 

ANY.RUN gives security leaders stronger control. With malware analysis and threat intelligence solutions get in-depth threat visibility, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and fast validation of threats without losing visibility or control.  

With these capabilities, enterprise teams can:  

• Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time.  

• Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved.  

• Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access.  

• Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history.  

• Strengthen detection coverage to connect related infrastructure, IOCs, and attack patterns.  

• Support enterprise-scale response with analysis across major operating systems. 

About ANY.RUN 

ANY.RUN provides cybersecurity solutions that help organizations strengthen security operations and respond to threats with greater speed and confidence. The company’s mission is to enable security teams to understand threats faster, make informed decisions, and operationalize threat intelligence across detection, investigation, and response workflows. 

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection. 

ANY.RUN is SOC 2 Type II attested, demonstrating its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, ANY.RUN helps reduce investigation uncertainty, accelerate triage, and transform threat analysis into actionable intelligence. 

The post Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations  appeared first on ANY.RUN's Cybersecurity Blog.

Discover the updates your team can use to strengthen SOC performance, reduce response delays, and stay ahead of emerging threats. 

Product Updates

In May, ANY.RUN introduced new capabilities to help SOC and MSSP teams reduce investigation delays, improve threat visibility, and make faster response decisions. The updates include decision-ready Tier 1 Reports with AI-powered insights and a new Threat Intelligence Feeds integration with Elastic Security.

Reduce Investigation Delays with Decision-Ready Tier 1 Reports 

SOC teams can now generate structured Tier 1 Reports directly in ANY.RUN’s Interactive Sandbox, turning complex analysis findings into clear, actionable intelligence for faster response decisions.

Instead of reviewing raw technical data or rebuilding investigation context during escalations, teams receive a ready-to-use report with a threat verdict, key IOCs, behavioral indicators, and MITRE ATT&CK mapping. Each report also includes an AI Summary with threat classification, a concise overview of the incident, and recommendations for the next response steps.

This gives SOC managers, Heads of SOC, and CISOs a clearer view of incident severity, potential business impact, and response priorities while helping teams move cases forward without unnecessary delays.

With Tier 1 Reports, your SOC can: 

• Accelerate alert triage: Help Tier 1 teams validate threats and make faster escalation decisions.
• Reduce investigation delays: Give Tier 2 and incident response teams structured context without requiring them to reconstruct the case from raw data.
• Improve SOC efficiency: Reduce repetitive reporting work and free senior teams to focus on high-priority incidents. 
• Strengthen business-risk visibility: Help decision-makers understand which threats require urgent action and where response efforts should be focused.
• Standardize incident reporting: Create consistent, easy-to-share reports for faster internal communication and more informed decisions.

Unlimited Tier 1 Report generation, including AI Summary and Recommendations, is available with Enterprise Suite and Hunter plans. Free plan users receive five shared generations.

ANY.RUN Threat Intelligence Feeds Are Now Available in Elastic Security 

SOC and MSSP teams can now integrate ANY.RUN Threat Intelligence Feeds directly into Elastic Security to bring fresh, sandbox-backed IOCs into their existing workflows.

Built from live sandbox investigations across more than 15,000 organizations and a community of 600,000 security professionals, ANY.RUN Threat Intelligence Feeds provide indicators linked to activephishing, malware delivery, and attacker campaigns.

Once configured, the integration ingests IP addresses, domains, URLs, and other IOCs into Elastic Security on a scheduled basis. Each indicator includes additional context and a direct link to the related sandbox report, helping teams quickly understand threat behavior and TTPs.

Here is what your team gains: 

• Detect threats early: Use fresh indicators from live attacks to identify malicious activity sooner.
• Validate alerts with real context: Use sandbox-backed evidence instead of relying only on static indicators.
• Reduce manual work: Eliminate repetitive enrichment steps and tool switching. 
• Improve detection quality: Use high-confidence indicators in detection rules and correlation logic.
• Speed up triage and response: Access additional context directly in Elastic Security and make faster decisions.

The plug-and-play integration is available to teams with an active Threat Intelligence Feeds license (Threat Intelligence Live or Complete subscriptions).

Integrate ANY.RUN Threat Intelligence Feeds with Elastic Security → 

Threat Coverage Updates 

In May, the detection team continued to strengthen ANY.RUN’s threat coverage by adding 120 new behavior signatures, 1,327 new Suricata rules, and 7 new YARA rules. These additions expand detection capabilities across suspicious behaviors, network-level activities, and file-based indicators.

New Behavior Signatures 

The 120 new behavior signatures added in May cover malware-specific activities, mutex indicators, and exploitation-related behavior. These signatures focus on observable actions and artifacts that appear duringdetonation, helping security teams confirm sample behavior within the sandbox.

Highlighted detections include: 

Tools, RMM & Exploitation: 

New Suricata Rules 

A total of 1,327 new Suricata rules were implemented in May to improve visibility into malicious network activity, including phishing kit communications and C2 check-ins.

• Generic Fake Captcha HTTP activity (sid: 85007558): Detects fake captcha implementations used in the execution chains of various phishing campaigns.
• DrimKit related HTTP GET request (sid: 85007566): Identifies activity associated with the emerged phishing kit known as DrimKit.
• Tycoon2FA related JS file in HTTP response (sid: 84003241): Tracks client-side code loaded by phishing pages related to Tycoon2FA.

New Threat Intelligence Reports 

In May, ANY.RUN released three new Threat Intelligence Reports providing in-depth analysis of recent malware activity and attacker techniques. These reports are available to TI Lookup Premium subscribers tosupport faster investigations.

• CLIPBANKER, KYCSHADOW, and SLOTAGENT: Analysis focusing on clipboard hijacking and related malicious agents.
• SHEETRAT, LOTUS WIPER, and CLOUDZ: Detailed examination of this RAT and associated wiper/cloud-based threats.
• STEALC, NFCMULTIPAY, and NWHSTEALER: Coverage of these specific stealers and their operational behaviors.

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.

Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.

ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates appeared first on ANY.RUN's Cybersecurity Blog.

This threat is currently active and primarily targeting organizations in the United States, with victims confirmed across the technology sector, managed security service providers (MSSPs), telecommunications, and education. It has also been observed in Germany, Sweden, Australia, and several other countries.

The financial consequences can quickly escalate beyond incident response costs. Organizations may face operational downtime, regulatory penalties, contractual liabilities, lost business opportunities, reputational damage, and increased cyber insurance expenses. Because MonoGlyphRAT functions as a loader capable of delivering additional malware, even a seemingly minor infection can become the first step toward a large-scale breach with significant business impact.

Key Takeaways

• It is actively targeting US businesses. JS.MonoGlyphRAT is an operational threat, with confirmed victims in the US technology, MSSP, and telecom sectors, delivered via convincing sales-themed phishing lures.
• Most security tools are blind to it. The malware is currently classified as ‘Unknown malware’ on VirusTotal and ThreatFox. Standard signature-based antivirus provides little to no protection.
• It is designed for persistence and deep access. The RAT establishes a permanent foothold via the Windows registry, runs silently in the background, and can pivot to download ransomware, exfiltrate data, or deploy further stages.
• The attack begins with a single click. Employees in procurement, sales, and finance are the primary targets. A .js file disguised as a purchase order or quote is all it takes to compromise a machine.
• The financial exposure is real and immediate. From ransomware deployment to data breach fines and incident response costs, a successful compromise can cost a mid-sized US business millions of dollars — plus reputational damage that is harder to quantify.
• Behavioral detection is the key defense. The malware’s most reliable detection artifacts are behavioral: unusual wscript.exe activity, PowerShell chains launched from a user directory, suspicious registry writes, and HTTP beaconing to non-standard ports. Hunt for these patterns actively.
• ANY.RUN detects and analyzes this threat in real time. ANY.RUN’s Interactive Sandbox first identified and documented JS.MonoGlyphRAT, providing full behavioral analysis, C2 traffic capture, and MITRE ATT&CK mapping. ANY.RUN Threat Intelligence allows defenders to query related IOCs — including C2 IPs, domains, URI patterns, and Suricata rule IDs — to proactively hunt for this threat across their environments. Organizations using ANY.RUN can analyze suspicious .js files in seconds before they reach endpoints, dramatically reducing the window of exposure.

What This Attack Means for Your Business

JS.MonoGlyphRAT is not a smash-and-grab attack. It is designed for persistence — staying hidden on infected machines for as long as possible while giving attackers full remote control. The financial consequences for affected organizations can be severe and varied:

• Ransomware deployment: The malware can silently download and execute ransomware or other destructive payloads, potentially locking businesses out of critical systems and demanding seven-figure ransoms.
• Data theft and regulatory fines: Attackers can exfiltrate sensitive data — customer records, financial information, intellectual property — triggering GDPR, HIPAA, or SEC disclosure obligations and associated penalties.
• Business email compromise (BEC) and fraud: With full access to an employee’s machine, attackers can pivot to email systems and initiate fraudulent wire transfers or supplier fraud.
• Operational disruption: A compromised endpoint in a network operations center or a managed service provider can cascade into downtime for dozens of downstream clients.
• Incident response costs: The average cost of a data breach in the US exceeded $9.4 million in 2024. Detection, containment, forensics, legal counsel, and notification alone typically run into hundreds of thousands of dollars.
• Reputational damage: Clients who learn their MSSP or technology vendor was compromised often terminate contracts, compounding the financial blow.

Because this malware cluster is currently unattributed in public threat intelligence feeds (flagged only as ‘Unknown malware’ on VirusTotal and ThreatFox), standard signature-based antivirus provides little protection. Behavioral detection and sandbox analysis are essential to identify and stop it.

Technical Analysis of a WSH/JScript Backdoor with Monoglyph Obfuscation and PowerShell Stagers

During analysis of Generic clusters of tracked activity, researchers identified an obfuscated JScript sample executed via Windows Script Host (WSH).

The malware uses a distinctive monoglyph obfuscation technique for identifiers: variable and function names are constructed from repeated characters in mixed case (e.g., IiIiIiIiiIII, KkkKKKkKkK, and so on), making the code difficult to read and hampering static analysis.

This cluster has not been publicly identified. In open threat intelligence sources, related samples are classified as unknown malware: ThreatFox marks one of the C2 addresses as ‘Unknown malware’ with threat type ‘payload delivery’, while VirusTotal shows Malicious activity (29/59 detections) but no specific family name.

For tracking purposes, ANY.RUN researchers have designated this cluster JS.MonoGlyphRAT, named after the monoglyph identifier obfuscation method (IiiIIii…, KkkKkKk…, etc.).

The malware implements persistent RAT/loader functionality running on the JS/WScript platform. It achieves persistence via the HKCU Run registry key, collects system and process information via WMI, communicates with its C2 server over HTTP, receives commands through control headers, launches AES-encrypted PowerShell stagers, and supports file execution, remote shell access, payload download, and self-update.

Delivery Vector & Victimology

Based on filenames submitted to the sandbox, the presumed delivery vector is social engineering (phishing with malicious JS attachments) using sales-themed lures: purchase orders, requests for proposals (RFPs), requests for quotations (RFQs), and similar documents.

Sample filenames observed:

• PURCHASE ORDER_12258.js (Analysis session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/)
• QUOTE_B2026.js (Analysis session: https://app.any.run/tasks/0bd61201-efaf-4b40-ae7b-4af1042a3d17/)
• CKML220066 – MSRS no. 812399.js (Analysis session: https://app.any.run/tasks/8b78c1a7-119b-4980-8639-7756e9bc3edc/)
• QUOTATION2026115.js (Analysis session: https://app.any.run/tasks/040bddbf-3952-4b6d-afa4-56fefa0c3741/)

Industries affected: Technology sector, MSSPs, Education, Telecommunications.
Geographic distribution of victims: primarily the United States, Germany, and Sweden; to a lesser extent Australia, Costa Rica, Greece, Poland, and Turkey.

Execution Chain

The following analysis is based on sandbox session: https://app.any.run/tasks/e39d92e9-a8c3-4c71-8009-2087847fb669/

Initialization

The analyzed sample is a heavily obfuscated JS script (SHA256: 5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200f).

The defining characteristic is the repeating pattern of object and function names in the code: sequences of the same letter in alternating case — for example, ‘function iiiiiiiiiiiiii()’, ‘var IiIiiiiiiIiIIi’, ‘function Iiiiiiiiiiiiii(iIiiiiiiiiiiii, IIiiiiiiiiiiii)’, and so on.

In the sandbox, the script runs under the wscript.exe process. Shortly after execution, a series of behavioral signatures fire with Malicious and Suspicious severity levels.

Network activity is also visible: the script sends HTTP requests to an unknown IP address.

Observed URLs:

• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=GEZHOV8LBB7PY4KX
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R&df=0
• hxxp[://]158[.]94[.]211[.]76:34567/ceoznp?ia=UDP3HIP4P5SH3U5R

WSH Bindings

The malware creates wrapper objects for interacting with WScript and WMI.

These provide the following capabilities:

• Process execution;
• PowerShell payload execution;
• WMI data collection;
• File system operations;
• C2 HTTP communication;
• Registry value writing;
• Persistence mechanisms and self-copying to the installation path.

Installation and Persistence

On the first run, the script copies itself into a subdirectory of %USERPROFILE%. After a successful C2 exchange, it adds itself to the Windows autorun mechanism by writing to the registry:

C2 Implementation and Capabilities

C2 connection parameters are defined in a static configuration within the main RAT class.

HTTP C2 addresses are hardcoded; the connectionMode parameter determines the communication scheme: header C2 mode (commands delivered via HTTP response headers) or legacy mode.

On initial connection, the client collects basic host telemetry:

• USERDOMAIN
• USERNAME
• Win32_SystemEnclosure.SerialNumber (via WMI)
• Win32_OperatingSystem.Caption (via WMI)

This data is sent to the C2 in an HTTP POST request.

The server responds with two control headers:

• X-S: <session ID>
• X-A: <command_id>

If the response status code is not 200, or if the X-S header is absent, the RAT client considers the connection failed and enters a shutdown state.

After successful registration, MonoGlyphRAT enters a beacon loop.

The beacon URL format is:
http://<c2_host>/<endpoint>?ia=<session_id>[&<param>=<value>]

If the response status is below 300, the response is passed to the command dispatcher. Otherwise, the connection is considered broken and the client attempts to reconnect.

The command dispatcher reads the command code from the ‘X-A’ header. Supported commands:

The following POST-requests from the client also add parameters to the URL (along with ‘?ia=<session_id>’):

• “&ex=<token>”: file download
• “&sb=<token>”: loader/stage
• “&vc=<token>”: payload URL for stage
• “&df=0”: host telemetry upload

X-A: -7 “Update client”

X-A: 1 “Execute file”

C2 response body format:

• [0:12] — file token
• [12:44] — AES encryption key
• [44:] — hex-encoded file extension

The extracted parameters are passed to SystemUtilities.DownloadAesEncryptedFile, which interpolates them into a PowerShell command executed via the WSH/WMI wrapper objects.

Encryption parameters used:

• Mode: AES-128-CBC
• Padding: PKCS #7
• Key: 16 bytes, supplied per-task in the C2 response body
• IV: ‘sixteenbyteslong’ — static across samples, stored as reverse-hex

X-A: 2 “Execute shell”

C2 response body format:

• [0:32] — AES encryption key
• [32:] — hex-encoded encrypted PowerShell command

Parameters are passed to SystemUtilities.RunEncryptedPowerShellCommand, which constructs and executes a PowerShell command in the same manner as the Execute File handler.

X-A: 3 — In-Memory .NET Execution

This is the most sophisticated C2 handler. C2 response body format:

• [0:12] — loader token
• [12:44] — loader AES encryption key
• [44:] — loader host / argument encrypted blob (hex-encoded)

The handler builds two URLs (loaderUrl and payloadUrl), encodes them as reversed hex, then downloads and executes an additional payload in memory within a newly created .NET process.

The PowerShell command used for execution:

• Reconstructs loaderUrl from its obfuscated form
• Downloads the additional payload
• Decrypts the payload
• Patches AmsiScanBuffer to bypass AMSI
• Assembles the decrypted bytes into a memory buffer
• Reflectively loads a .NET Assembly via [System.Reflection.Assembly]::Load()
• Transfers execution to the entry point: [Software.Program].GetMethod(‘Main’).Invoke()

AMSI patching is implemented using LoadLibrary(‘amsi.dll’), GetProcAddress(‘AmsiScanBuffer’), VirtualProtect(), and Marshal.Copy().

X-A: 4 “Host telemetry”

C2 response body format:

• [0:32] — XOR key from server
• [32] — extended telemetry flag

In the request body:

• “X-A: 4” — “Get host telemetry” command
• “766BBAE98154B60B381CE91BFB5473ED” — XOR encryption key (in hex)
• “1” – get extended info flag

When the flag is set to ‘1’, the client collects an extended host profile:

The data collected:

• USERDOMAIN / USERNAME
• Win32_SystemEnclosure.SerialNumber
• Win32_OperatingSystem.Caption
• Win32_ComputerSystem.TotalPhysicalMemory
• Win32_ComputerSystem.Model
• Win32_Processor.Name
• Win32_VideoController.Name
• Win32_Process.Name (unique entries list, via separate WMI call)

The collected data is XOR-encoded and sent as a JSON payload via POST:

{
    “b”: “<xored_host_info>”,
    “c”: “<xored_process_list>”
}

The POST-request:

POST /<endpoint>?ia=<session_id>&df=0
Content-Type: application/json
<JSON host info payload in request body>

MonoGlyphRAT C2 protocol operation scheme:

The RAT client configuration is set statically in the JS script code:

Threat Landscape

Based on available sources, JS.MonoGlyphRAT is supported by a stable infrastructure cluster — IP addresses, C2 domains, and non-standard URI paths — that remains without attribution (classified as Unknown RAT/malware in public feeds).

ANY.RUN TI related samples query:

destinationIP:”158.94.211.76″ or url:”\?ia=&df=” or domainName:”aryamint.com$” or destinationIP:”91.92.243.79″ or url:”/gATIjh” or url:”/ceoznp” or suricataID:”85006579″ or suricataID:”85006580″ or suricataID:”85006581″

Within the kill chain, MonoGlyphRAT occupies the role of a first- or mid-stage RAT/loader: it establishes persistence on the victim host, sets up a persistent C2 session, and can download and execute additional stage payloads (files, shell commands, in-memory .NET execution).

Attribution to a specific campaign or threat actor cannot be confirmed on the current dataset. While there are consistent infrastructure artifacts, network traffic patterns, and a shared execution chain, these are insufficient for reliable actor attribution.

MITRE ATT&CK Mapping

How ANY.RUN Helps Defend Against JS.MonoGlyphRAT

Defending against threats like JS.MonoGlyphRAT requires visibility across the entire attack chain, from the initial phishing attachment to command-and-control communications and follow-on payload delivery. ANY.RUN’s security solutions help organizations identify and stop such activity at multiple stages.

Using Interactive Sandbox, analysts can safely execute suspicious JavaScript attachments and immediately observe malicious behaviors associated with MonoGlyphRAT, including the execution of wscript.exe, PowerShell spawning, registry-based persistence, C2 communications, and payload delivery attempts.

AI Summary in the Sandbox analysis results automatically highlights key malicious actions, helping analysts understand the attack chain faster and reducing investigation time. In addition, AI Recommendations provide actionable guidance for further analysis, threat hunting, and incident response, helping teams move from detection to remediation more efficiently.

Tier 1 Reports provide ready-made analysis summaries that explain malware behavior, attack techniques, indicators of compromise, and detection opportunities in a structured, easy-to-consume format. This enables teams to quickly understand threats without requiring extensive reverse engineering expertise.

Threat Intelligence Lookup enables defenders to investigate indicators associated with the malware cluster, including IP addresses, domains, URLs, process chains, Suricata detections, and behavioral artifacts. Analysts can quickly determine whether their organization has encountered related infrastructure or attack patterns and pivot across connected indicators to uncover broader malicious activity.

For proactive defense, Threat Intelligence Feeds help security teams enrich SIEM, EDR, XDR, SOAR, and other security controls with continuously updated threat data. By automatically incorporating fresh indicators linked to emerging malware campaigns, organizations can improve detection coverage and block malicious infrastructure before attackers establish persistence.

Together, ANY.RUN’s Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds provide security teams with the visibility needed to detect, investigate, and respond to MonoGlyphRAT infections early, reducing the likelihood of costly incidents, operational disruption, and follow-on attacks such as ransomware deployment.

Conclusions

JS.MonoGlyphRAT is a fully featured persistent RAT/loader built around Windows Script Host, PowerShell, and a custom HTTP C2 protocol. Its purpose is to establish persistence on the victim host, register with the C2, receive operator commands, and download additional payloads and stages.

The defining characteristic of this cluster is monoglyph obfuscation of JavaScript identifiers: class and variable names are constructed from repeated characters in mixed case, making the code difficult to read and hampering manual analysis.

C2 communication is conducted via HTTP headers X-S and X-A, where X-S carries the session identifier and X-A acts as a command selector. The C2 response body contains task parameters: tokens, encryption keys, and encrypted PowerShell or stager payloads.

Functionally, MonoGlyphRAT supports a broad capability set: host telemetry collection, active process enumeration, HKCU Run persistence, AES-encrypted payload download and execution, PowerShell task execution, in-memory .NET code execution, client self-update, and installed copy removal. The implant can also serve as an intermediate platform for delivering subsequent payloads.

From a Threat Intelligence perspective, a distinct code/infrastructure cluster is consistently observed; public TI sources currently classify related IOCs as ‘Unknown malware’, so attribution to a known group or family remains unconfirmed. The working designation JS.MonoGlyphRAT is proposed for analysis and indicator-sharing purposes.

In defensive practice, the most valuable detection artifacts are behavioral:

• wscript.exe executing JS files from user-writable directories
• Registry write to HKCU Run pointing to a .js file
• Process chain: wscript.exe → powershell.exe -nop –enc …
• HTTP POST requests to non-standard ports
• Presence of query parameters ia=, df=, ex=, sb=, vc= and HTTP response headers X-S: and X-A:

Indicators of Compromise (IOCs)

Network Artifacts:

hxxp[://]158[.]94[.]211[.]76:34567/ceoznp

158[.]94[.]211[.]76

91[.]92[.]243[.]79

scan[.]aryamint[.]com

aryamint[.]com

HTTP / C2 protocol Artifacts:

HTTP Header: ‘X-A:’

HTTP Header: ‘X-S:’

POST body pattern: ‘a=iz&b=<data>’

Query parameter: ‘ia=<session_id>’

Query parameter: ‘ex=<token>’

Query parameter: ‘sb=<token>’

Query parameter: ‘vc=<token>’

Query parameter: ‘df=0’ or ‘df=<token>’

Query parameter: ‘kp=<token>’

Query parameter: ‘tw=<token>’

Query parameter: ‘fp=1’

Host-based Artifacts:

File path: %USERPROFILE%\<random letters>\<random letters>.js

Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random letters>

Crypto IV:

Static string: ‘sixteenbyteslong’

Encoded IV: ‘76E6F6C63756479726E6565647879637’ (reversed hex)

Detection patterns:

Process tree: ‘wscript.exe -> powershell.exe -nop –enc …’

Registry key record: ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run\*’, value contains: ‘wscript.exe | .js’

HTTP POST body: ‘a=iz&b=…’

HTTP response headers: ‘X-S:’ + ‘X-A:’

HTTP query parameters:

• ‘?ia=<session_id>&ex=’
• ‘?ia=<session_id>&sb=’
• ‘?ia=<session_id>&vc=’
• ‘?ia=<session_id>&df=’

JavaScript strings:

• MSXML2.XMLHTTP
• Scripting.FileSystemObject
• Wscript.Shell
• winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2
• powershell
• -nop
• -enc
• 76E6F6C63756479726E6565647879637

About ANY.RUN  

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. 

Try ANY.RUN to strengthen your proactive defense 

FAQ

The post From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises appeared first on ANY.RUN's Cybersecurity Blog.

Celebrating a decade of ANY.RUN, CEO Aleksey Lapshin shared his perspective on the evolution of the company, the reality of AI in cybersecurity, and why human expertise remains the most valuable asset in the age of AI. 

Key Takeaways 

• According to Aleksey Lapshin, ANY.RUN was created to solve real problems analysts faced every day: slow investigations, fragmented tools, and inefficient workflows.  

• Lapshin believes that despite rapid AI adoption, human expertise and manual verification are becoming even more valuable in modern SOC operations.  

• One of ANY.RUN’s biggest competitive advantages is its community-driven threat intelligence built from thousands of daily analyst investigations.  

• The company’s long-term vision is to create a faster, less stressful, and more effective environment for cybersecurity teams.  

• The CEO argues that AI will not replace cybersecurity professionals; instead, it will increase the need for skilled analysts capable of validating and responding to complex threats. 

The Foundation of ANY.RUN 

Q: Going back a decade, what was the initial spark that led to the creation of ANY.RUN in 2016? 

Aleksey Lapshin: It started as a very personal mission. I worked as a malware analyst and the tools we had at the time were simply ineffective for the reality of the job. Most antiviruses only gave a simple “yes/no” verdict, while my actual task was to deeply research malware behavior and extract valuable IOCs. Analyzing just one sample and getting meaningful results often took an entire day of manual work.  

I wanted to build a malware sandbox that removed that manual routine of setting up your virtual environment, gave you full interactive control over the VM, and brought the whole process to a unified standard. The main goal was simple: get results fast. I wanted to see what a threat actually does in real time, within seconds of detonating the malware, instead of waiting 10+ minutes for a standard sandbox report.  

Q: How did you go from building a personal project to launching a full product? 

At first, it was just my personal project that I kept using and improving. Then I thought maybe others could use this too. I made a basic landing page, spent $100 on Google Ads, and quickly got more than 100 requests, many from security professionals at large enterprises. The unexpected response inspired me to try to make the sandbox available to the public. But for that, I needed more hands on deck. 

We started with just two people, then grew to three. With this small team, we launched the first public version and even built the very first paid version. For a long time, I personally handled marketing, spoke with potential customers, and closed sales myself. Thanks to that hands-on approach, we reached operational profitability almost from the very beginning. 

We also made a strategic decision to offer a free tier, which was instrumental in building a community around the service early on. Instead of being a solution forced on teams from the top down by management, SOC teams began to adopt us because the analysts themselves found it faster and more effective than anything else they had. This allowed the product to grow naturally within organizations.  

Evolution and the Modern SOC 

Q: How have the company’s goals evolved over these 10 years? 

For a long time, we grew by focusing almost exclusively on the analyst’s technical needs and their individual workspace. Today, we’ve shifted to looking at the landscape from two sides: the analyst and the business.  

Our goal now is to ensure that ANY.RUN’s solutions provide the value businesses and MSSPs need. That means not just helping analysts investigate threats, but helping organizations reduce detection gaps that directly translate into business risk, incident impact, and operational disruption. 

Q: In small versus large SOCs, how does the role of ANY.RUN differ? 

It is hard to speak for every SOC, but I can give you the most common scenarios. In smaller teams where a SOC might not even be fully formed, ANY.RUN’s solutions often become the primary, central workstation. The analysts there are usually handling Tier 1, 2, and 3 duties all at once. They need a “do-it-all” environment where they can perform manual investigations and get immediate results.  

In large-scale enterprise SOCs, where there is a massive and constant flow of alerts, we integrate into a much larger chain of products like SIEM, SOAR, and EDR to provide actionable context. But no matter how advanced the company’s security or how strong their automation is, manual verification is still essential, even more so in the age of AI.  

Attackers now can generate countless sophisticated and convincing phishing variants in seconds. This is exactly why ANY.RUN’s solutions are where SOC teams go to get the real ground truth, remove uncertainty, and make final decisions about risk.  

Q: What is the ideal place for ANY.RUN in a modern SOC environment? 

I’ve always wanted it to be a place where people actually feel comfortable and confident working, which is rare in this industry. Most security solutions can be sterile, exhausting, and quite dull. 

I aim for ANY.RUN to be a burnout-free environment SOC teams actually want to return to because it reduces their fatigue and gives them certainty in their findings. We want to be recognized as one of the primary, essential locations in a SOC, and I’m really happy that clients confirm in their reviews that we’re succeeding in this. But we also know that it requires us to keep working hard to maintain that level of trust and responsibility. 

Philosophy of Growth 

Q: What were the biggest personal milestones and challenges for you during this journey? 

I don’t really view our history through “big bang” milestones or singular moments of triumph. To me, the most important part of the journey has been the constant, incremental improvements we make every single day. 

That said, there is one moment that really stands out to me. Just a couple of months after we released the paid version, the first company reached out and told us they wanted to buy an ANY.RUN subscription for 7 users on a three-year contract. It felt both exciting and overwhelming. I wasn’t sure if we were ready for that level of responsibility, but it made me very proud. It was the real validation that we were solving a genuine pain point for companies.   

As for the biggest challenge, I would say it is always the next step right in front of us, especially since we usually have multiple development streams running at the same time. 

Q: What’s your personal philosophy on growth and success after 10 years of building the company? 

I don’t believe in the traditional cycle of setting a target, reaching it, and then stopping to rest before the next one. What works for me is simply moving forward step by step. I’m always in the middle of achievements, which means less rest but also constant progress. When you look back, you realize how far you’ve come. 

The AI Landscape and ANY.RUN’s Biggest Competitive Advantage 

Q: With AI dramatically lowering the bar for software development, what is ANY.RUN’s biggest competitive advantage today? 

Modern AI can indeed recreate an interface or mimic basic detection logic, but it cannot copy ten years of community trust and human-driven telemetry.   

Our real capital isn’t just the software, it’s the data moat we’ve built over a decade of focusing on the real needs of security professionals. Every day, more than 10,000 companies contribute valuable data to this ecosystem. Their analysts investigate the latest malware and phishing in the sandbox, which generates large volumes of unique telemetry on active threats. 

In theory, AI could build a clone of our sandbox that looks just as good, or even better, but without the community-sourced threat data, it would be like a beautiful car with no gas. 

Our “gas” is over 35,000+ daily human-driven investigations every day, creating a continuous stream of real-world threat intelligence. This data directly translates into faster detection, better context, and earlier understanding of emerging attacks for our paid clients, giving them a clear advantage against attackers. 

That’s why we’ve been investing in and supporting the ANY.RUN community for 10 years, and it continues to be our number one priority. 

Q: What’s your take on the idea of fully autonomous AI SOCs? 

I see AI as a double-edged sword. It drives rapid innovation on both the attacking and defending sides of the cybersecurity landscape.  

Yet, attackers will always be faster because defense must be massive and cover everything, while an attack only needs one successful vector to succeed. Criminals don’t just target systems; they target people. In a phishing attack, for example, they can leverage AI to craft a message designed to bypass another AI so that a human will eventually click on it. 

Because of this reality, I believe the idea of a fully autonomous SOC where AI simply fights cyber threats without any human involvement is totally unrealistic. That is exactly the reason why, with the rise of AI threats, manual verification of alerts by SOC analysts is actually becoming more valuable than ever before. You need a person to validate what the AI might miss or what the attacker has specifically designed to appear benign to an automated filter. 

Of course, many basic attacks can already be largely handled by AI, especially at the detection and initial triage stages. But as more attackers adopt AI, the volume of attacks grows exponentially, so even with higher automation, the total amount of work requiring human validation is likely to increase rather than decrease. 

Q: What are the main risks for companies that are trying to replace their Tier 1 analysts with AI? 

I would say there are two core risks that companies often overlook.  

First, as I said, if you rely solely on AI, attackers will eventually adapt their methods specifically to bypass those filters, and if you’ve removed the human element, you have no last line of defense.  

Second is the “knowledge erosion” problem. Tier 1 is the essential training ground for future specialists; if you automate it entirely, where do your Tier 2 and Tier 3 analysts come from in a few years? You’ll eventually end up with a workforce that lacks foundational experience and “gut feeling” because they never “grew up” handling those initial, real-world alerts. Over time, this creates a structural risk where organizations lose their ability to investigate, contain, and respond to incidents effectively. 

Q: Would you say the cybersecurity industry in 2026 actually needs more people than ever before? 

Absolutely, and thinking otherwise is a self-delusion. While AI helps us automate certain tasks, it also allows attackers to scale the volume and complexity of their strikes exponentially.  

AI doesn’t reduce the need for people in security. It increases the number of problems only people can solve. We’ve found that with the arrival of AI, the industry actually requires more skilled people to deal with the new categories of problems that AI-driven attacks are creating. 

Looking Forward 

Q: As you look forward, what are the key strategic tasks for ANY.RUN in the coming years? 

Our main goal right now is to provide a powerful decision-making layer for SOC and MSSP teams. We want to bring all critical information together so analysts can move from alert to a final decision as quickly and easily as possible. 

We will continue doubling down on our biggest advantage, the unique data we have, while expanding detection capabilities, scaling our infrastructure, and ensuring our solutions deliver real value to both analysts and the business. 

Give Your SOC the Threat Visibility It Needs with Enterprise Suite

ANY.RUN Enterprise Suite gives security leaders stronger control. Teams get full sandbox functionality, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and TI Lookup & YARA Search Premium to validate threats faster and investigate sensitive cases without losing visibility or control. 

With these capabilities, enterprise teams can: 

• Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time. 
• Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved. 
• Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access. 
• Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history. 
• Strengthen detection coverage with TI Lookup & YARA Search Premium to connect related infrastructure, IOCs, and attack patterns. 
• Support enterprise-scale response with longer VM timeout and analysis across major operating systems. 

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions designed to support security operations in businesses and organizations. The company’s goals is to help security teams understand threats faster, make informed decisions, and use threat intelligence across detection, investigation, and response workflows in SOCs and MSSPs.  

The company’s solutions include Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions accumulating investigation data from 15,000+ SOCs for instant enrichment and early threat detection. 

ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn threat analysis into clear, actionable evidence.  

The post Inside ANY.RUN’s 10-Year Evolution: An Interview with CEO Aleksey Lapshin appeared first on ANY.RUN's Cybersecurity Blog.

From fake invitations and banking portals to compromised B2B websites and Word Online lures, the month’s attacks had one thing in common: they were built to look normal long enough to delay detection. 

Here are the major attacks from May and what SOC teams should take away from them. 

Key Business Risks That Stood Out in May Attacks 

The most important lesson from May’s attacks is that many of these campaigns were designed to hide inside normal business activity long enough to create real exposure. 

• Phishing turned into direct access risk: May campaigns did not stop at fake login pages. They led to credential theft, OTP interception, remote access tool installation, and possible account takeover. 
• Trusted workflows became attack paths: Fake invitations, Word Online pages, banking portals, legitimate B2B websites, and RMM tools helped attackers lower suspicion and delay detection. 
• Fileless and browser-based techniques reduced visibility: Blob-generated pages, injected scripts, PowerShell execution, and in-memory payloads made some attacks harder to catch with traditional file or network-based controls. 
• Credential theft created broader business exposure: Stolen email, browser, banking, and session data can open the door to BEC, fraud, SaaS compromise, supplier risk, and lateral movement. 
• Delayed certainty became the biggest SOC problem: When teams cannot quickly confirm whether access was stolen, remote access was installed, or C2 activity happened, response slows and business risk grows. 

Main Targets in May Attacks 

May’s campaigns were concentrated around the business functions and user groups that attackers can use to reach valuable accounts, financial workflows, and internal systems. For CISOs, this helps show where security reviews, detection coverage, and response playbooks should be prioritized first. 

1. Routine Invitations Created High-Impact Access Risk for U.S. Organizations 

In May, ANY.RUN tracked a fake invitation phishing campaign targeting U.S. organizations. The attack used familiar event-style lures to guide users through what looked like a normal invitation flow. Behind that flow, attackers could move victims toward credential theft, OTP interception, and in some cases remote access tool delivery. 

Check detailed breakdown 

This campaign shows how a simple business interaction can turn into an access incident. The user does not need to open an obviously malicious file or interact with a suspicious-looking page. They only need to follow an invitation that feels familiar. From there, the risk can expand from one employee action to exposed credentials, compromised mailboxes, unauthorized remote access, and wider business exposure. 

CISO priority: Security leaders should treat fake invitation flows as more than phishing noise. These attacks test whether the SOC can connect email, browser, identity, and remote access signals fast enough to understand real exposure. ANY.RUN helps teams safely open the full flow, observe credential and OTP collection, identify possible remote access tool delivery, and pivot to related infrastructure before the same campaign reaches more users. 

2. Business Document Lures Put LATAM Enterprises at Credential Theft Risk 

ANY.RUN also analyzed an Agent Tesla campaign targeting enterprises in Latin America. The attack used familiar business-document themes, including purchase orders, invoices, payroll files, and procurement requests, to reach employees who regularly work with external files and supplier communication. 

Check detailed breakdown 

This type of attack goes after the business functions where one stolen credential can quickly create financial and operational exposure. If attackers gain access to email accounts, browser credentials, FTP logins, or other stored data, the risk can move beyond one infected endpoint. It can support BEC, supplier fraud, cloud account compromise, and wider access across company systems. 

Business risk to reduce: Finance, procurement, and payroll inboxes should be treated as high-risk business entry points. A suspicious invoice or purchase order is not only an attachment problem; it may be the first sign of credential theft that can later support fraud or unauthorized access. With behavior-based sandbox analysis, teams can quickly confirm whether a file executed, what data it tried to collect, and which accounts need immediate protection. 

3. Compromised B2B Websites Turned Trusted Browsing into Fileless Malware Risk 

May also showed how legitimate B2B websites can be abused to deliver malware without relying on obvious malicious files. In this activity, attackers used compromised websites and injected scripts to move users toward PowerShell execution, in-memory payload delivery, and outbound C2 communication. 

Check technical details on X 

This is dangerous as the attack starts from a place employees may already trust. The website can look legitimate, the traffic may not stand out at first, and the malicious activity becomes clearer only later in the chain. For enterprises, that means a normal browsing session can turn into fileless execution before the SOC has enough evidence to react. 

Detection gap to close: This is where reputation-based controls are not enough. A known business website can still become part of the attack chain, and fileless execution may leave fewer obvious artifacts for Tier 1 teams to catch. ANY.RUN gives analysts a way to see what happens after the page loads: script behavior, PowerShell activity, memory execution, process injection, and C2 communication. That turns a suspicious browsing event into a response-ready case. 

4. OTP Phishing Showed How Fast Financial Access Can Be Weaponized 

ANY.RUN tracked a large-scale phishing campaign impersonating a U.S. financial institution. The campaign used a multi-step flow to collect usernames, passwords, OTP codes, and email verification data. Its infrastructure was also highly reusable, with hundreds of related phishing domains already identified. 

Check technical details on X 

This attack highlights a dangerous shift: MFA does not remove phishing risk when attackers can intercept OTPs in real time. Once users submit credentials and verification codes, attackers can move closer to account takeover, fraud, and unauthorized access before security teams have a clear picture of what happened. 

For enterprises, the lesson goes beyond one banking-themed campaign. Any organization that relies on login codes, email verification, or user-driven authentication flows needs to understand where those flows can be copied, replayed, or abused. 

MSSP priority: The priority is to move from single-alert handling to campaign-level detection. Blocking one domain will not stop an operation built on reusable templates and rotating infrastructure. ANY.RUN Threat Intelligence helps MSSPs connect related phishing pages, infrastructure, and recurring artifacts, so teams can prove whether authentication data was exposed and help clients act before stolen access becomes fraud or account takeover. 

5. Fake Word Online Lures Turned Document Access into Remote Control 

Another May attack started with an Outlook email and redirected users to a fake Word Online / OneDrive-style page. Instead of pushing an obvious malware download, the chain moved through software installation stages and eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools. 

Check technical details on X 

This is the kind of attack that creates real confusion inside security operations. On the surface, the user is trying to open a business document. Deeper in the chain, the attacker is setting up remote access through tools that may look similar to normal IT or support activity. 

For MSSPs, this is especially dangerous as one alert may not immediately look like a full compromise. A fake document page, a silent installer, an RMM tool, and concealment activity may appear as separate weak signals unless the team can connect them fast. 

Access question for leaders: This attack should push CISOs and MSSPs to ask a harder question: not “Did malware run?” but “Did someone gain hands-on access to the environment?” Remote access abuse is dangerous because it can look close to legitimate IT activity while giving attackers a path back into the network. Teams should expose the full chain from phishing page to installer behavior, RMM deployment, concealment activity, and follow-on access signals to can contain the access path before it becomes persistence. 

6. BlobPhish Exposed a Blind Spot in Browser-Based Credential Theft 

May also brought attention to BlobPhish, a credential-phishing campaign targeting Microsoft 365, major U.S. financial institutions, and webmail services. Instead of loading a phishing page in the usual way, the attack generated the page directly inside the browser using blob objects, keeping the malicious content in memory. 

Check technical details on X

 This matters as many phishing defenses still depend on what can be seen in the email, URL, or network request. BlobPhish weakens that visibility. The page can appear after the browser builds it locally, which makes the attack harder to judge using traditional signals alone. 

For CISOs, this creates a dangerous gap between what the user experiences and what the security stack can clearly prove. For MSSPs, it raises the investigation burden across clients: teams need to understand not only where the user clicked, but what the browser created after the click. 

Visibility gap to close: BlobPhish shows why phishing response cannot stop at URL checks. The real danger is the gap between what the user sees in the browser and what security teams can prove afterward. ANY.RUN allows teams to reproduce the browser-side flow safely, observe how the phishing page is generated, and capture the credential-theft behavior that may not be visible through standard inspection alone. For CISOs and MSSPs, this closes a critical evidence gap before stolen accounts turn into BEC, SaaS compromise, or client-wide exposure. 

Give Your SOC the Visibility May’s Attacks Demand with Enterprise Suite 

May’s attacks made one thing clear: the earliest signs of compromise are often hidden inside normal workflows. A user follows an invitation, opens a supplier file, visits a trusted website, enters an OTP, or previews a document, and the SOC may only see scattered signals until the risk has already moved forward. 

That is where ANY.RUN Enterprise Suite gives security leaders stronger control. Teams get full sandbox functionality, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and TI Lookup & YARA Premium to validate threats faster and investigate sensitive cases without losing visibility or control. 

With these capabilities, enterprise teams can: 

• Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time. 
• Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved. 
• Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access. 
• Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history. 
• Strengthen detection coverage with TI Lookup & YARA Premium to connect related infrastructure, IOCs, and attack patterns. 
• Support enterprise-scale response with longer VM timeout and analysis across major operating systems. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC, MSSP, and enterprise security teams detect threats earlier, and investigate incidents faster. 

With its Interactive Sandbox, Threat Intelligence Lookup, TI Feeds, and YARA Search, ANY.RUN gives teams the visibility they need to analyze suspicious files, URLs, scripts, phishing pages, and malware behavior in real time. Security teams can safely observe full attack chains, extract IOCs, investigate related infrastructure, and turn unclear alerts into evidence they can act on. 

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN supports faster triage, stronger threat visibility, and more confident response across modern SOC workflows. 

The post Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More appeared first on ANY.RUN's Cybersecurity Blog.

The practical path forward combines three capabilities: continuous real-time intelligence that keeps detection systems current automatically, instant IOC investigation that cuts triage from minutes to seconds, and behavioral malware analysis that exposes what attackers actually do — not just static file signatures.

ANY.RUN provides all three. MSSPs that integrate TI Feeds, TI Lookup, Interactive Sandbox, and TI Reports into their workflows report handling significantly more client volume with the same team, while improving detection accuracy and cutting mean time to respond.

The Force Multiplier Approach: Amplifying Human Intelligence

Hiring more analysts isn’t always possible. The global cybersecurity talent shortage makes it difficult. And even if talent were available, inflating staff costs could ruin the business model. Yet, overloading existing teams creates its own risks such as burnout, alert fatigue, and costly mistakes. 

At the core of MSSP growth lies a paradox: human talent is your most valuable asset, but also your most limited resource. 

Threat analysts are the backbone of MSSPs. But their daily work is often filled with repetitive tasks, cognitive overload, and stress from high expectations. Without the right support, even the most capable teams risk crumbling under pressure. 

How To Scale Threat Detection in an MSSP Environment

• Integrate continuously updated threat intelligence into SIEM and detection platforms.
• Automate IOC enrichment and alert prioritization workflows.
• Use live malware analysis to validate suspicious activity faster.
• Standardize investigation and reporting procedures across all analysts.
• Reduce tool fragmentation by connecting investigation and intelligence workflows.
• Use AI-assisted summaries to accelerate triage and escalation.
• Continuously refresh detection logic with real-world attack data.
• Focus analyst time on high-confidence threats instead of manual research.

Analyst Burnout Crisis: Where Efficiency Goes to Die

Why won’t adding more analysts solve your scaling problem? Each additional team member inherits these same systemic issues, multiplying your operational costs without proportionally increasing your detection effectiveness. 

The danger? Analysts become reactive instead of proactive, struggling to keep up rather than driving MSSP growth. 

1. Reduce Analyst Overload by Automating Threat Enrichment and Prioritization

One of the biggest scaling barriers for MSSPs is the growing flood of alerts. Analysts waste time manually validating indicators, checking external sources, and investigating false positives. Over time, this creates fatigue, slower triage, and missed threats.

ANY.RUN helps reduce this operational pressure through Threat Intelligence Feeds and Threat Intelligence Lookup.

Threat Intelligence Feeds continuously deliver fresh malicious IPs, domains, URLs, hashes, and behavioral indicators extracted from live malware analysis sessions. The data can be integrated directly into SIEM, SOAR, EDR, IDS/IPS, and TIP platforms using STIX/TAXII and API integrations.

This allows MSSPs to:

• Automatically enrich alerts with current threat intelligence;
• Filter low-value noise earlier in the workflow;
• Detect emerging campaigns faster;
• Reduce time spent on repetitive IOC validation;
• Improve triage consistency across multiple client environments.

ANY.RUN Threat Intelligence Lookup complements this by giving analysts instant access to deep contextual intelligence connected to suspicious indicators. Instead of manually researching across multiple tools, analysts can immediately investigate domains, IPs, hashes, JA3 fingerprints, processes, command lines, registry keys, and MITRE ATT&CK techniques from a single interface.

The result is a faster, less stressful workflow where analysts spend more time making decisions and less time assembling context manually.

2. Keep Detection Systems Continuously Updated with Fresh Threat Intelligence

Static detection logic becomes obsolete quickly. Attackers rotate infrastructure, modify payloads, and launch new campaigns faster than manual rule updates can keep pace. MSSPs that rely on outdated indicators inevitably develop blind spots.

ANY.RUN lets MSSPs maintain current detections through continuously updated Threat Intelligence Feeds generated from real malware executions inside the Interactive Sandbox.

Unlike traditional static IOC lists, the feeds include:

• Indicators extracted from active attacks;
• Behavioral context tied to malware activity;
• MITRE ATT&CK mappings;
• Threat relationships and campaign associations;
• Real-time updates from thousands of daily analysis sessions.

This helps MSSPs to:

• Detect active threats earlier;
• Improve proactive threat hunting;
• Correlate telemetry with current attacker infrastructure;
• Update SIEM detections automatically;
• Expand coverage without increasing manual workload.

ANY.RUN’s Interactive Sandbox strengthens this process by exposing full malware behavior in a controlled live environment. Analysts can safely observe process execution, network communication, dropped files, persistence mechanisms, and lateral movement attempts in real time.

The Sandbox also generates structured intelligence that flows directly into TI products, turning individual investigations into reusable detection knowledge across all clients.

3. Accelerate Malware Analysis and Incident Investigations to Improve Response Times

As MSSPs grow, slow investigations become a major operational bottleneck. Context switching, fragmented tooling, and manual malware analysis increase MTTR and make SLA compliance harder.

ANY.RUN helps streamline investigations with its Interactive Sandbox. Instead of relying only on static analysis or isolated indicators, analysts can:

• Interact with malware during execution;
• Observe attack chains in real time;
• Analyze phishing payloads safely;
• Visualize process trees and network activity;
• Export IOCs and TTPs immediately;
• Correlate malware behavior with known campaigns.

This dramatically shortens investigation cycles and supports junior analysts in reaching confident conclusions faster.

Combined with Threat Intelligence Lookup, analysts can pivot directly from suspicious artifacts into broader intelligence data, linking incidents to related infrastructure, malware families, and attack patterns without leaving the investigation workflow.

4. Deliver Executive-Ready Reporting Faster with AI-Assisted Analysis 

Client reporting is one of the most time-consuming parts of MSSP operations. Security teams often spend hours translating technical investigation data into understandable business context. ANY.RUN helps accelerate reporting with Tier 1 reports and AI Summary capabilities.

Tier 1 reports provide SOC-ready summaries that consolidate malware behavior, indicators, TTPs, and investigation findings into structured reports that analysts can use immediately during triage and escalation workflows.

AI Summary further reduces reporting time by automatically generating concise explanations of malicious activity observed during analysis sessions. Instead of manually reviewing every process and connection, analysts receive quick summaries highlighting:

• Threat behavior,
• Infection chains,
• Persistence mechanisms,
• Network activity,
• Risk indicators,
• Recommended investigation focus areas.

This helps MSSPs to:

• Reduce time spent writing reports,
• Improve communication between Tier 1 and Tier 2 analysts,
• Deliver faster client updates,
• Standardize reporting quality across teams,
• Shorten escalation cycles.

Together, Tier 1 reports and AI Summary allow analysts to move from raw telemetry to actionable conclusions significantly faster while maintaining consistency across growing client environments.

Scale Multi-Client Operations Without Linear Headcount Growth

The core MSSP scaling challenge is simple: revenue can grow exponentially, but analyst capacity usually cannot. Without workflow optimization, every new client increases operational pressure almost proportionally.

ANY.RUN helps break this pattern by creating a shared intelligence layer across detection, investigation, and reporting workflows.

Interactive Sandbox, Threat Intelligence Feeds, Threat Intelligence Lookup, Tier 1 reports, and AI Summary work together to:

• Reduce manual enrichment;
• Minimize tool switching;
• Standardize investigations;
• Accelerate analyst onboarding;
• Lower escalation rates;
• Improve consistency across client environments;
• Increase investigation throughput per analyst.

This allows MSSPs to scale operations more sustainably while maintaining detection quality and analyst well-being.

About ANY.RUN  

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks. ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. 

Try ANY.RUN to strengthen your proactive defense 

FAQ

The post How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts? appeared first on ANY.RUN's Cybersecurity Blog.