Modern phishing campaigns are designed to create exactly that uncertainty. QR codes, redirect chains, CAPTCHAs, phishing kits, and AI-generated lures can all hide the real objective until late in the attack flow.  

So what does phishing detection that actually works look like for a modern SOC or MSSP? Let’s find out. 

Why Modern Phishing Still Breaks SOC Workflows 

Phishing is still one of the most common ways attackers get into organizations, but the threat no longer follows a simple pattern. Modern phishing campaigns are built to hide their real intent, delay validation, and make investigation harder for already overloaded security teams. 

What makes today’s phishing especially disruptive is the mix of techniques now used in a single campaign. Security teams are no longer dealing with one suspicious email and one malicious link. They are dealing with layered attack flows that may include: 

• redirect chains that hide the real destination 
• QR codes that bypass traditional inspection 
• CAPTCHAs that slow or block analysis
• Phishing-as-a-Service kits that make advanced attacks easier to launch  
• AI-generated lures and deepfake content that make phishing more convincing 

This combination puts much more pressure on SOC workflows. The challenge is understanding what actually happens next and doing it fast enough to reduce business risk. 

The numbers reflect this shift. 20% of phishing campaigns hide links in QR codes, while Tycoon2FA attacks increased by 25% between Q1 and Q3 2025. Gartner also found that 62% of companies experienced a deepfake attack in 2025. Together, these trends show that phishing is more adaptive, more evasive, and more difficult to investigate quickly. 

For SOC teams, this creates a dangerous workflow gap. An alert may show that something looks suspicious, but it often does not reveal whether credentials are being harvested, whether MFA is being bypassed, whether malware is delivered after the phishing stage, or how far the attack could spread if it succeeds. That lack of visibility is where delays begin. 

When visibility breaks down, the workflow usually breaks down with it: 

• triage takes longer 
• confidence in decisions drops 
• more cases are escalated 
• response slows at the exact moment speed matters most 

To make phishing detection work, CISOs need an approach that helps the SOC spot threats sooner, understand their impact earlier, and contain them before they escalate. 

Step 1: Strengthen Monitoring with Fresh Phishing Intelligence

The first step is making sure the SOC can see phishing activity early enough to act on it. If malicious domains, URLs, or campaign indicators surface too late, the team starts every investigation from behind.

Strong monitoring is not just about collecting more alerts. It is about improving what the SOC sees first and giving teams a better chance to catch phishing before it spreads further. The more current and relevant the intelligence is, the easier it becomes to recognize real threats early and prioritize them correctly.

This is where the quality and scale of threat data make a real difference. ANY.RUN’s phishing intelligence is built on first-hand investigations of active campaigns observed across 15,000 organizations and used by more than 600,000 security professionals worldwide. That gives teams access to fresh phishing indicators grounded in real attack activity, not just static or generic reputation data.

With this kind of monitoring in place, SOC teams can: 

• spot malicious URLs, domains, and payloads earlier 
• improve coverage across emerging phishing campaigns 
• enrich detections with context tied to real investigations 
• prioritize alerts faster and with more confidence 

A stronger monitoring layer gives the SOC a much better starting point. And when phishing is detected earlier, every step that follows becomes more effective. 

Step 2: Improve Triage with Full Attack-Chain Visibility 

Early detection is only the starting point. Once a phishing alert reaches the SOC, the next challenge is figuring out what the attack is actually doing and whether it creates real business risk. 

This is where triage often slows down. A suspicious URL or attachment may trigger an alert, but that alone does not show whether the campaign leads to credential theft, MFA bypass, malware delivery, or a broader account takeover attempt. Without that visibility, teams spend more time validating the threat, confidence in verdicts drops, and more cases are escalated than necessary. 

Strong phishing triage should help teams quickly answer a few critical questions: 

• Where does the attack flow actually lead? 
• Is the user being pushed to a fake login page? 
• Are credentials or session tokens being stolen? 
• Does the phishing stage end in malware delivery? 

ANY.RUN helps close this gap with Interactive Sandbox analysis that exposes the full phishing chain in a safe environment. Teams can detonate suspicious URLs and files, follow redirects, open attachments, scan QR codes, and inspect CAPTCHA-protected flows to see how the attack behaves in practice.

Instead of relying on assumptions, they can validate the threat based on what actually happens. Analysts can also interact with the environment at any time, which makes it easier to investigate suspicious behavior manually when a deeper look is needed.

See how a real quishing attack can be analyzed inside ANY.RUN’s Interactive Sandbox in seconds:

This process becomes even faster with Automated Interactivity. By imitating analyst behavior inside the sandbox, it can interact with phishing pages automatically, uncover hidden links behind QR codes, solve CAPTCHAs, and continue the analysis flow without waiting for manual input. That helps teams move through evasive phishing stages faster and reach the real malicious behavior sooner.

Check sandbox analysis with Automated Interactivity 

Stronger triage reduces uncertainty, cuts wasted effort and helps teams reach conclusions faster. That means fewer unnecessary escalations, quicker containment, and less chance for phishing incidents to grow into broader operational or financial impact. 

Step 3: Speed Up Response with Clear Verdicts and Actionable Evidence 

Phishing detection does not end when the SOC confirms that something looks suspicious. The next challenge is turning that analysis into fast, confident response. 

This is where many workflows still slow down. Even after a phishing attack has been investigated, teams often need to manually collect indicators, document what happened, map behavior to known techniques, and prepare findings for escalation or response. That extra effort creates delays at exactly the moment when speed matters most. 

A strong response workflow should give teams what they need to act without friction:

• a clear verdict on the threat 
• extracted IOCs for blocking and investigation 
• mapped TTPs for faster understanding 
• structured reports for escalation and handoff 
• evidence that helps response teams move with confidence 

ANY.RUN helps speed up this stage by turning phishing analysis into decision-ready outputs. Teams can see how the attack unfolds across redirects, phishing pages, credential theft attempts, and payload delivery, often reaching a verdict within the first 60 seconds. Clear verdicts, extracted IOCs, mapped TTPs, visual behavior details, and auto-generated reports make incidents easier to understand and faster to contain.

For CISOs, the real benefit is a faster path from investigation to containment. It helps teams contain phishing incidents sooner, make more consistent decisions under pressure, and reduce the time attackers have to turn a phishing attempt into credential theft, fraud, or wider business disruption. 

What SOC Teams Gain from Stronger Phishing Detection 

When SOC teams improve monitoring, sharpen triage, and speed up response, phishing becomes much harder to turn into a larger incident. Stronger phishing detection helps teams identify suspicious activity sooner, understand it more quickly, and act with greater confidence when time matters most.

This approach drives measurable improvements across day-to-day SOC operations: 

• 36% higher detection rate 
• up to 58% more threats detected 
• 21 minutes faster MTTR per incident 
• up to 20% lower Tier 1 workload 
• 30% fewer Tier 1 to Tier 2 escalations 

The value goes beyond the numbers. Better phishing detection helps reduce alert fatigue by making suspicious activity easier to assess. It also helps Tier 1 handle more cases with confidence instead of pushing unclear investigations further down the workflow. 

Key Outcomes for CISOs:

• Lower breach risk through earlier detection and more informed response
• Reduce the cost of phishing incidents by containing threats faster
• Ease alert fatigue with faster clarity on suspicious activity
• Improve SOC efficiency with quicker, better-informed decisions
• Reduce Tier 1 workload by helping front-line teams close more cases sooner
• Improve consistency  in phishing investigations and response workflow
• Avoid hardware costs by using cloud-based analysis 
• Scale operations more easily as phishing volume grows
• Get more value from existing teams without adding the same operational burden
• Reduce the likelihood of wider business disruption by stopping phishing earlier

Phishing is often the first step in account compromise, fraud, malware delivery, and wider business disruption. When SOC teams can detect it earlier and respond faster, the organization is in a much stronger position to stop the attack before the damage spreads. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps organizations detect, investigate, and respond to modern phishing attacks with greater speed and clarity.

By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN gives SOC and MSSP teams the tools to spot phishing activity sooner, investigate threats more effectively, and respond with structured findings. Its approach helps security teams expose full attack chains, investigate evasive phishing techniques, and make more confident decisions under pressure.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is built to support modern security operations with faster threat visibility, stronger investigation workflows, and more informed response. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection. 

Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization → 

The post Building Phishing Detection That Works: 3 Steps for CISOs  appeared first on ANY.RUN's Cybersecurity Blog.

Key Takeaways 

• macOS is no longer a low-risk environment. Engineering, product, and executive teams are disproportionately Mac users with privileged access, making them high-value targets. 

• A single compromised Mac can be an enterprise-wide breach entry point. Stolen session tokens, Keychain credentials, and SaaS cookies harvested from one device can grant attackers persistent access to cloud environments and internal systems without triggering authentication alerts. 

• The ClickFix technique has evolved. Attackers now mimic and abuse legitimate AI platforms like Claude Code and Grok, exploiting the trust employees place in these tools to bypass traditional security controls entirely. 

• Automated sandboxes miss macOS threats by design. Without interactive analysis, the execution paths are never triggered, and the threat goes undetected. 

• ANY.RUN’s macOS sandbox closes a years-long visibility gap. Security teams can now investigate Apple-targeted threats inside the same unified workflow used for Windows, Linux, and Android — eliminating the context-switching and tooling fragmentation that slows incident response. 

Why macOS Threat Analysis Now Belongs in Your Security Stack 

Static or automated scanners often miss the full picture because many macOS threats stay dormant until a user enters a password, approves a dialog, or interacts with the system. This creates dangerous visibility gaps, longer dwell times, and slower incident response in mixed Windows/macOS environments. 

Interactive sandbox analysis lets security teams safely detonate suspicious files or URLs, observe real-time behavior, and simulate genuine user actions, revealing hidden intent, data exfiltration paths, and attacker capabilities that would otherwise remain invisible. 

• Moonlock’s Mac Security Survey 2025 found that 66% of Mac users have encountered at least one cyber threat within the past year. 

• Over 80 countries affected by major Mac stealer malware campaigns. 

• A 67% increase in registered macOS backdoor variants in 2025. 

The Use Case: A macOS ClickFix Campaign Targeting AI Users 

ANY.RUN recently uncovered a sophisticated macOS-specific ClickFix campaign aimed squarely at users of popular AI development tools — including Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. 

Observe the attack chain in a live sandbox session 

Attackers bought Google ads that redirected victims to convincing fake documentation pages mimicking legitimate AI platforms (Claude Code in this case). Once there, a ClickFix-style social engineering prompt tricked users into running a terminal command.  

This downloaded an obfuscated script that installed the AMOS Stealer malware. 

AMOS escalated to root privileges, swept browser credentials and session cookies from Chrome, Safari, and Firefox, emptied cryptocurrency wallet applications, harvested saved passwords from the macOS Keychain, collected files from the Desktop, Documents, and Downloads folders, and installed a persistent backdoor that restarted itself within seconds if terminated.  

This backdoor upgraded from basic command polling to a fully interactive reverse shell over WebSocket with PTY support, giving attackers real-time, hands-on control of the compromised Mac. 

To validate your detection coverage, research the campaign’s IOCs collected in our X post and subscribe to ANY.RUN via X.  

Why This Attack Works 

This campaign represents a fundamental shift in how risk reaches organizations. The delivery mechanism was not a phishing email or a malicious attachment — two threat vectors that corporate security infrastructure is built to intercept. It was a search engine result, a paid advertisement, and a trusted AI interface. Employees were not behaving carelessly; they were using the same research tools they use every day to get work done. 

• AI workflows normalize experimentation: users expect to copy commands, test tools, and troubleshoot issues. The attack blends into that behavior. 

• macOS users often operate with elevated trust: there is still a lingering perception that macOS is less targeted, which lowers suspicion. 

• Security tools are not built for “user-driven execution”: when a user intentionally runs a command, many controls interpret it as legitimate activity. 

In short, the attack doesn’t break the rules. It borrows them. 

What This Means for Business 

This type of campaign doesn’t rely on technical failure, but on human-process alignment: 

• Compromise without exploitation: traditional vulnerability management offers no protection here. The attack path is behavioral. 

• High-value users are directly exposed: the targets of AI tools are often the same people with access to sensitive systems and data. 

• Detection timelines increase: without clear malicious signatures, identifying the attack depends on recognizing suspicious behavior patterns. 

• Incident scope can expand quickly: once access is established, attackers can pivot into internal systems, especially in loosely governed tool environments. 

Traditional security tools largely failed to detect this campaign because the initial payload (a shell command pasted from a legitimate website) produced no files, no installer, and no warning dialogs. Understanding and blocking the full attack chain required behavioral analysis in an environment that could replicate what a real macOS user would experience. That is precisely what interactive sandbox analysis provides. 

ANY.RUN Now Covers the Full Enterprise Attack Surface 

Recognizing that modern enterprises are not single-OS environments, ANY.RUN has extended its Interactive Sandbox to include macOS virtual machines, now available in beta for Enterprise Suite customers. This brings the platform to four major operating systems (Windows, Linux, Android, and macOS) within a single unified investigation workflow. 

When a macOS-specific file surfaces alongside Windows samples in a phishing campaign, analysts no longer need to switch context, stand up separate infrastructure, or route the sample to a different team. Cross-platform campaigns can be investigated as a whole. 

Interactive analysis catches what automated tools miss. A critical characteristic of many macOS threats, including the AMOS campaign described above, is that they are designed not to trigger until a user takes a specific action.  

ANY.RUN‘s interactive environment allows analysts to replicate genuine user actions during live sandbox execution. The result is that deceptive authentication dialogs, staged execution chains, and social engineering lures become visible and documentable, rather than hidden behind an execution condition the sandbox never triggered.  

In one documented analysis of the Miolab Stealer, a macOS-targeting infostealer, the sandbox surfaced the malware’s fake authentication prompt, the AppleScript routine used to collect files from user directories, and the outbound data transfer via a curl POST request, providing a complete behavioral picture of the attack chain in minutes. 

The practical impact of adding macOS to the sandbox workflow is measurable at multiple levels: 

• Security teams can now validate suspicious files and URLs targeting Mac endpoints within minutes using behavioral analysis, rather than escalating to manual investigation or accepting the risk of unconfirmed alerts. The reduction in triage time directly compresses Mean Time to Detect and Mean Time to Respond: both metrics that translate directly into breach risk and regulatory exposure. 

• For organizations where macOS represents a significant portion of the device fleet this closes a visibility gap that has existed for years. Attackers have been aware of and exploiting that gap. The tools to close it now exist. 

• For MSSPs managing diverse client environments, the ability to investigate macOS threats within the same platform used for Windows and Linux analysis means consistent SLAs, fewer escalation paths, and the capacity to handle cross-platform incidents without specialized personnel for each OS. 

Conclusion 

The campaign that weaponized AI platforms to deliver credential-stealing malware to macOS users is a clear indicator of where threat actors are investing their development effort. AI services trust, search engine visibility, and macOS endpoints are converging into a high-value attack surface: one that is actively being exploited against enterprises today. 

ANY.RUN’s expansion of its Interactive Sandbox to macOS gives security leaders a direct answer to a question that has grown more urgent with every major Apple-targeted campaign: when a threat targets our Mac users, can we actually see what it does? That answer is now yes. 

The capability is available in beta for Enterprise Suite customers. For organizations running mixed-OS environments — which today means nearly every enterprise — it represents a concrete step toward closing the gap between the threats targeting their users and the tools available to analyze them. 

About ANY.RUN  

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.  

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.  

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ 

The post ClickFix Meets AI: A Multi-Platform Attack Targeting macOS in the Wild appeared first on ANY.RUN's Cybersecurity Blog.

This requires a shift in how threat intelligence is used: not as a reference point, but as a core layer in the decision process. 

Moving from reactive to confidently proactive security means establishing a threat intelligence workflow that:

• Solve key challenges, from alert fatigue to blind spots 

• Integrate across SOC workflows, supporting them 

• Deliver compounding value as a unified system 

In this model, threat intelligence becomes part of the SOC’s operational fabric. That’s what ANY.RUN Threat Intelligence is designed for. 

It becomes a layer inside your SOC’s operations. A layer that provides behavioral context, workflow support, and data delivery for faster triage, incident response, and threat hunting. 

Read further to see how it changes each stage of your SOC operations. 

Key takeaways 

• Threat intelligence must move from data to decisions, as its value is measured by how it improves SOC actions, not how much data it provides.
• Context is the differentiator. Linking IOCs to behavior and TTPs is what enables accurate triage and detection.
• Unified TI drives consistency in SOC teams, embedding intelligence across workflows.
• Operationalized TI compounds over time. Every investigation strengthens detection, automation, and future response.
• ANY.RUN’s threat intelligence is built on live attack data that provides unique, real-time visibility into emerging threats and supports the full investigation cycle.

Solving Key SOC Challenges with Behavioral TI 

Most threat intelligence today is still delivered as bare indicator feeds, standalone reports, or enrichment tools with fragmented intelligences that exist outside the core SOC workflow. 

In this model, threat intelligence behaves as an input, not as part of the system itself. Indicators without context create noise. Context without operationalization creates friction. As a direct outcome, SOCs struggle with: 

• Time-consuming manual enrichment 

• Operational bottlenecks across processes 

• Detection that gets delayed by the lack of fresh data 

Human-centered challenges in SOC teams are often not analysts’ fault either. Alert fatigue and unnecessary escalations stem from fragmented, hard-to-access threat data that fails to deliver usable context during investigations. 

The path to improvement lies in acquiring actionable threat intelligence that operationalizes SOC tasks and completes the workflow, supporting the entire investigation cycle. 

Threat Intelligence That Offers More than Just Indicators 

What SOC teams require is actionable intelligence that supports decisions and execution, enabling analysts to move from enrichment to understanding, and from understanding to detection and rapid response. 

Where traditional TI may fail because of its fragmented, add-on nature, actionable threat intelligence encompasses the entire malware and phishing investigation cycle by: 

• Connecting indicators to behavior (processes, command lines, network activity, registry changes) 

• Providing immediate context for triage decisions 

• Translating findings into detections and hunting hypotheses 

• Continuously feeding SOC pipelines (SIEM, SOAR, EDR) 

• Remaining relevant through real-time, fresh data 

• Supporting both automation and analyst-driven workflows 

This is threat intelligence that doesn’t exist beside your SOC, but an essential operational layer within it that turns repetitive work into a scalable workflow where each detection enhances overall security and proactive protection from similar threats in the future. 

A key differentiator of effective threat intelligence is its foundation in live, real-world attack activity. 

ANY.RUN Threat Intelligence is built on continuously analyzed data from over 15,000 organizations and 600,000 analysts conducting daily malware and phishing investigations worldwide. This creates a unique, constantly evolving dataset of active threats processed and validated to minimize noise. 

 Operational Impact of Actionable Threat Intelligence   

ANY.RUN’s TI As an Operational Layer in Your SOC 

ANY.RUN’s approach to behavioral threat intelligence is built around the idea of treating it not as a dataset but as an operational layer that connects context and action across the SOC lifecycle. 

This approach reframes TI from a passive resource into an active component of the SOC system that: 

1. Links Isolated IOCs to malware behavior and TTPs via TI Lookup 

Instead of treating indicators as isolated data points, with Threat Intelligence Lookup (TI Lookup), a solution for instant enrichment and threat research, analysts immediately see how they behave in real attacks. Any artifact (IP, domain, hash, or URL) is enriched with execution context, infrastructure relationships, and associated TTPs. 

This allows teams to move from “what is this?” to “how does this operate?” within seconds, improving triage quality and enabling faster, more confident decisions. 

2. Embeds context directly into triage and response 

Whether through integrations or manual use, threat intelligence from ANY.RUN becomes a part of the SOC investigation cycle that supports early detection and smart decisions. 

• Threat Intelligence Lookup and Threat Intelligence Feeds are available for integration via connectors or API/SDK. See all integrations 

3. Enables conversion of intelligence into detections via YARA Search 

Threat intelligence becomes particularly valuable when it directly translates into detections. YARA Search enables that by helping analysts test, refine, validate, and create YARA rules to ensure coverage of relevant threats with reduced false positives. 

The result is more reliable detections and greater confidence in security controls. 

4. Delivers continuous, real-time intelligence streams via TI Feeds 

Threat Intelligence Feeds are continuously delivered into existing security pipelines rather than accessed on demand, and that’s how real-time, validated indicators sourced from live attack data flow directly into SIEM, SOAR, and EDR systems, supporting automated detection, correlation, and response. 

This reduces manual workload, improves alert quality, and lowers dwell time. 

5. Fills visibility gaps with TI Reports 

ANY.RUN TI Reports address the partial visibility challenge in SOC teams by providing threat overviews curated by our experts, turning analyst-driven insights into strategic intelligence with threat behaviors, TTPs, and detection opportunities already described and contextualized. 

This enables teams to quickly understand emerging risks, validate their coverage, and identify blind spots without investing additional investigation time. 

Threat Intelligence Across Processes and Outcomes 

ANY.RUN Threat Intelligence’s goal is not to improve a single step, but to encompass the entire operational cycle. 

Conclusion 

High-performing SOCs are defined by how effectively threat intelligence is integrated into their operations. 

When threat intelligence components operate as a unified system rather than isolated capabilities, they stop being tools and become part of the SOC’s operational infrastructure. 

In this model, Threat Intelligence is: 

• a unified, behavior-driven intelligence layer; 

• a continuous link from indicators to behavior and from detection to automation; 

• a real-time stream of relevant, active threat data; 

• embedded across triage, incident response, threat hunting, detection, and management. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and behavior-driven threat intelligence solutions designed to support real-world SOC operations. The platform enables security teams to understand threats faster, make informed decisions, and operationalize intelligence across detection and response workflows.

Used by over 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN delivers continuously updated intelligence based on live attack analysis. The company is SOC 2 Type II certified, ensuring strong security controls and protection of customer data.

FAQ

The post From Reactive to Proactive: 5 Steps to SOC Maturity with Threat Intelligence  appeared first on ANY.RUN's Cybersecurity Blog.

From Microsoft 365 token abuse and registry-hidden RAT delivery to card theft, macOS backdoor activity, and multi-vector DDoS operations, the threat landscape in March showed how much harder early detection has become for security teams.

Key Business Risks That Stood Out in March Attacks 

• Trusted services and normal-looking workflows were repeatedly used to hide malicious activity, increasing the risk of delayed detection across enterprise email, cloud, payment, and endpoint environments. 

• Attacks observed in March affected industries including government, finance, healthcare, technology, education, manufacturing, and energy, with risks extending beyond initial access into token abuse, remote access, card theft, and broader malware deployment. 

• Stealthy, multi-stage delivery methods made early signals weaker and investigations slower, raising the likelihood of escalation before security teams could confirm malicious behavior. 

• For organizations, the business impact was not limited to infection alone, but included fraud, downtime, deeper compromise, and higher operational costs tied to delayed response. 

1. EvilTokens: OAuth Device Code Phishing Enables M365 Account Takeover Without Credential Theft 

Post on LinkedIn

Check detailed breakdown 

ANY.RUN analysts observed a sharp rise in EvilTokens, a phishing campaign abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week. Instead of stealing credentials on a fake login page, attackers trick victims into entering a verification code on microsoft[.]com/devicelogin, which causes Microsoft to issue OAuth tokens directly to the attacker. 

This makes EvilTokens especially dangerous for organizations relying on traditional phishing detection. The user signs in through a legitimate Microsoft page, completes MFA, and never submits credentials to the phishing site. As a result, the compromise shifts from password theft to token abuse, giving attackers access to Microsoft 365 resources while blending into normal authentication activity. 

Because the workflow runs over encrypted HTTPS and uses legitimate Microsoft infrastructure, key attack signals are often hidden from security teams. That delays validation, extends investigations, and increases the chance of escalation before analysts can confirm what happened. 

See full attack flow exposed in ANY.RUN Sandbox 

Inside ANY.RUN Sandbox, automatic SSL decryption revealed the hidden JavaScript and backend communication used to orchestrate the phishing flow. In this case, analysts uncovered high-confidence network indicators such as: 

• /api/device/start 

• /api/device/status/* 

• X-Antibot-Token 

When seen in HTTP requests to non-legitimate hosts, these artifacts become strong hunting signals for identifying related phishing infrastructure and improving detection coverage. 

To investigate similar activity and validate detection logic, use this TI Lookup query: 

threatName:”oauth-ms-phish” 

TI Lookup helps teams quickly assess the broader attack landscape around EvilTokens and related OAuth phishing activity. Recent submissions show notable targeting across Technology, Education, Manufacturing, and Government & Administration, especially in the United States and India, while other regions are also affected.

This gives SOC teams access to related sandbox analyses, IOCs, and behavioral patterns they can use to strengthen detections and hunting. For CISOs, that means earlier visibility into relevant campaigns, better prioritization of response efforts, and a stronger ability to reduce the business impact of Microsoft 365 account takeover. 

IOCs related to this attack: 

• singer-bodners-bau-at-s-account[.]workers[.]dev  

• dibafef289[.]workers[.]dev  

• ab-monvoisinproduction-com-s-account[.]workers[.]dev  

• subzero908[.]workers[.]dev  

• sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev  

• tyler2miler-proton-me-s-account[.]workers[.]dev 

2. macOS ClickFix Campaign Targets Claude Code Users with AMOS Stealer and Backdoor Access 

Post on LinkedIn

ANY.RUN analysts identified a macOS-specific ClickFix campaign targeting users of AI tools such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. In the observed case, attackers used a redirect from Google Ads to a fake Claude Code documentation page, where a ClickFix flow pushed the victim to run a terminal command that ultimately delivered AMOS Stealer. 

Once executed, the infection chain moved beyond credential theft. The malware collected browser data, saved credentials, Keychain contents, and sensitive files, then deployed a backdoor that provided continued access to the infected Mac. This makes the attack more serious than a one-time stealer infection, especially in enterprise environments where macOS systems often hold developer access, internal documentation, and business-critical credentials. 

How the attack unfolds: 

• Google Ads redirect sends the victim to a fake Claude Code documentation page 

• ClickFix lures the user into running a terminal command 

• The command downloads and executes an encoded script 

• AMOS Stealer collects browser data, saved credentials, Keychain contents, and sensitive files 

• A backdoor is deployed for continued access 

• The updated ~/.mainhelper module enables an interactive reverse shell over WebSocket with PTY support 

A key finding in this case was the evolution of the backdoor module ~/.mainhelper. Previously described as a more limited implant, the updated variant now supports a fully interactive reverse shell, giving attackers persistent, hands-on access to the infected system in real time. 

For defenders, that changes the risk significantly. What starts as a phishing-style ClickFix infection can quickly turn into long-term remote access, data theft, and broader compromise. Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components also break visibility into weaker signals, which can slow validation and delay escalation. 

See the full macOS ClickFix campaign execution chain 

ANY.RUN Sandbox helps teams investigate macOS, Windows, Linux, and Android threats with visibility into execution flow, attacker behavior, persistence mechanisms, and dropped artifacts. In cases like this, this cross-platform threat analysis helps analysts confirm malicious activity faster, attribute the intrusion with greater confidence, and strengthen detection logic before the compromise expands further. 

3. RUTSSTAGER: Registry-Stored DLL Leads to OrcusRAT Deployment 

Post on LinkedIn

ANY.RUN analysts detected RUTSSTAGER, a stealthy malware stager that hides a DLL inside the Windows registry in hexadecimal form, making the payload harder to spot during early triage. In the observed chain, the stager led to the deployment of OrcusRAT, followed by an additional binary that helped maintain persistence, ran PowerShell-based system checks, and relaunched the RAT when needed. 

What makes this threat notable is the way it avoids a straightforward on-disk delivery path. By storing the DLL in the registry instead of dropping it as a conventional file, the malware reduces its visibility and gives defenders fewer obvious artifacts to catch at first glance. The follow-on activity then helps stabilize the infection and keep remote access available on the compromised system. 

Review the full execution chain 

Inside ANY.RUN Sandbox, behavioral analysis exposed how the infection unfolded across stages, while file system and process monitoring helped reveal the relationship between the stager, the deployed RAT, and the persistence component. Process synchronization events were especially useful here, showing that the payload components were not acting independently but as part of a coordinated, multi-stage execution chain. 

To explore related activity, review relevant sandbox analyses and assess the broader threat landscape, use the following TI Lookup query: registryName:”^rutsdll32$” 

Gathered IOCs: 

• 57ce6187be65c1c692a309c08457290ae74a0047304de6805dbb4feb89c0d7e5 

• 6a581c3b6fe7847bb327f5d76e05653a1504e51023454c41835e5dc48bc13ba4 

• 7d157366d74312965912a35cbba4187532cfeb3b803119a3a04c9ba0ba7d4ab0 

• 07f56ac8b5bd7cdb4c33ea5e9cd42bc7f9d3cd5504aabbb476ef010a142d7e29 

• a6f72590792b3f26271736e5a7ba80102292546bb118cf84ff29df99341abfbe 

4. Fake PDF Attachments Hide HTML Phishing Pages That Steal Credentials 

Post on LinkedIn

ANY.RUN analysts identified phishing emails carrying HTM/HTML attachments disguised as PDF files. In the observed case, a file named pdf.htm opened a fake login page and sent submitted credentials in JSON format through an HTTP POST request to the Telegram Bot API. 

The attack relies on a simple but effective disguise: the attachment looks like a document but actually launches a phishing page designed to collect login data. Some samples also include obfuscated scripts, which makes the credential theft logic less obvious during manual inspection and slows down triage.

Once a victim enters their credentials, attackers can use them to access business email, internal services, and other corporate systems tied to the compromised account. For security teams, this turns what may look like a routine attachment into a fast-moving account takeover risk. 

See the analysis session 

Inside ANY.RUN Sandbox, the phishing behavior became visible in under 60 seconds, exposing the outbound communication, loaded scripts, and file contents involved in the theft flow. This helps teams quickly confirm whether an attachment is just suspicious or part of an active credential-harvesting attack, reducing review time and helping analysts act before the stolen access is used. 

5. SVG Smuggling Campaign Targets Colombian Organizations 

Post on LinkedIn

ANY.RUN analysts observed a phishing campaign targeting organizations in Colombia, particularly in government, finance, oil and gas, and healthcare. The attackers use Spanish-language phishing emails with an attached SVG file that acts as more than an image: it contains embedded JavaScript that rebuilds the next attack stage locally through SVG smuggling. 

Instead of downloading a payload from an external source right away, the SVG uses a blob URL to generate an intermediate HTML lure inside the browser. That lure imitates a document-related workflow and creates a password-protected ZIP archive for the victim to open, pushing the attack forward while reducing obvious early network signals. 

This staged delivery makes the campaign harder to catch during initial triage. SVG smuggling, blob-generated content, and the later use of legitimate Windows components break the compromise into smaller artifacts that may look weak or unrelated on their own, slowing detection and investigation. 

Inside ANY.RUN Sandbox, analysts were able to reconstruct the full flow: 

SVG smuggling → Blob-based HTML lure → Password-protected ZIP → Notificacion Fiscal.js → radicado.hta → J0Ogv7Hf.ps1 → C2 communication 

That visibility helps security teams connect scattered artifacts faster, uncover hidden delivery stages, and confirm malicious activity before the intrusion progresses further. 

You can use the following Vjw0rm C2 response commands as detection signals to detect active compromise in your environment:  

• Cl — execution termination 

• AW — active window data collection and exfiltration 

• Ex — PowerShell code execution 

• SF / RF — base64 payload delivery, storage, and execution 

• DL — file download from URL with optional execution 

• DLF — file delivery via C2 with storage and execution 

• Un — removal of persistence mechanisms and related artifacts 

6. Active Magecart Campaign Hijacks eStores and Steals Card Data 

Check detailed breakdown 

ANY.RUN analysts uncovered an active Magecart campaign targeting e-commerce websites, with a notable concentration in Spain. In the observed cases, attackers hijacked checkout flows, replaced legitimate payment steps with fake interfaces, and stole card data through WebSocket-based exfiltration. 

What makes this campaign especially dangerous is its durability. The operation remained active for more than 24 months and relied on a large infrastructure of 100+ domains, using staged payload delivery, fallback domains, and payment-page mimicry to stay operational and avoid disruption. In Spain-focused cases, the attackers notably abused Redsys-themed payment context to make the fraudulent flow appear legitimate. 

The campaign also stood out for how it blended card theft into trusted payment experiences. Instead of relying on a simple fake form, the malware dynamically adapted the checkout page, injected malicious elements, and transmitted stolen payment data outside normal HTTP flows, making detection harder for defenders and increasing fraud risk for banks and payment ecosystems. 

See the full payment-skimming chain  

Inside ANY.RUN Sandbox, analysts exposed the multi-stage delivery logic, malicious script injection, fake payment overlays, and WebSocket-based card data exfiltration. This helps security teams understand how the skimmer operates, identify related infrastructure faster, and strengthen detections against long-running payment theft campaigns. 

7. Kamasers: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide 

Check detailed analysis 

ANY.RUN published a detailed technical analysis of Kamasers, a multi-vector DDoS botnet designed to carry out both application-layer and transport-layer attacks while also supporting follow-on payload delivery. The research shows how the malware operates, how it receives commands, and why it creates risk beyond disruption alone. 

See Kamasers behavior exposed 

Inside the sandbox, analysts observed the botnet retrieving command-and-control data, communicating with active infrastructure, executing DDoS-related commands, and in some cases downloading additional files for execution. This helps security teams confirm malicious behavior faster and understand whether an infected host is being used only for flooding activity or as part of a broader compromise. 

Kamasers supports multiple attack methods, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. In addition, it can act as a loader, which increases the risk of further malware delivery, data theft, or ransomware. 

Another notable finding was the botnet’s resilient Dead Drop Resolver design. Instead of depending on a single static C2 location, Kamasers uses legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and Etherscan to retrieve active command-and-control addresses, making disruption and early detection more difficult. 

For organizations, that means a single infected system can become both a source of external attacks and a foothold for deeper intrusion, increasing operational, financial, and reputational risk. 

To review related sandbox analyses and broader activity, use the following TI Lookup query: 

threatName:”kamasers” 

8. MicroStealer: A Fast-Spreading Infostealer with Limited Detection 

Check technical analysis 

ANY.RUN analysts found MicroStealer, a fast-spreading infostealer that gained traction despite limited public detection. In observed activity, the malware appeared in 40+ sandbox sessions in less than a month, using a multi-stage chain to steal credentials, session data, screenshots, and wallet files. 

See the full execution chain 

Inside the sandbox, analysts were able to quickly confirm how the threat unfolds and what data it targets. This kind of visibility helps security teams move from an unclear file to a confident verdict faster, reducing review time and lowering the chance of missed credential theft. 

How the attack unfolds: 

• NSIS installer delivers the initial payload 

• Electron loader requests elevated privileges and launches the next stage 

• Java module executes the main stealer logic 

• Browser credentials, session data, screenshots, and wallet files are collected 

• Stolen data is sent to attacker-controlled infrastructure 

What makes MicroStealer notable is not only what it steals, but how it delays confident detection. The layered NSIS → Electron → Java execution chain, combined with obfuscation and anti-analysis checks, makes the malware harder to understand during early triage. 

To review related sandbox analyses and broader activity, use the following; TI Lookup query: 

threatName:”microstealer” 

For organizations, this risk goes beyond a single infected endpoint. Stolen browser credentials and active sessions can give attackers access to SaaS apps, internal systems, and cloud services, increasing the chance of account compromise and broader intrusion. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect threats earlier, investigate incidents faster, and build stronger response workflows. With Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, the company gives SOC and MSSP teams the visibility and context they need to move from alert to confident decision more quickly.  

Today, more than 15,000 organizations and 600,000 security professionals worldwide rely on ANY.RUN. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection.

The post Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More  appeared first on ANY.RUN's Cybersecurity Blog.

At the same time, our detection team continued to strengthen threat coverage with new behavior signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques. 

Here’s a closer look at what’s new. 

Product Updates 

This month’s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded sandbox coverage to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.

Automatic SSL Decryption for Stronger Phishing Detection 

Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.

In March, ANY.RUN introduced automatic SSL decryption in the Interactive Sandbox across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.

Check real-world example: Detecting Salty2FA phishing campaign with SSL decryption

This significantly expands phishing visibility across every sandbox session. After implementing the technology, ANY.RUN saw a 5x increase in SSL-decrypted phishing detection and added 60,000 more confirmed malicious URLs to TI Lookup each month. 

For your SOC, this means: 

• Higher detection rate: Analysts can now identify phishing activity that would otherwise stay hidden inside encrypted traffic. 

• Faster MTTD and MTTR: Teams confirm malicious behavior earlier and respond before phishing causes broader damage. 

• Reduced Tier 1-to-Tier 2 escalation volume: Tier 1 can close more cases independently and escalate only the incidents that truly need deeper investigation. 

Expanding Your SOC’s Cross-Platform Analysis with macOS 

As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases. 

To help solve this, ANY.RUN expanded its sandbox OS coverage with macOS virtual machine, now available in beta for Enterprise Suite users. This gives teams one environment to investigate threats across Windows, Linux, Android, and now macOS.  

View analysis of macOS threat 

Bringing interactive macOS analysis into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.

This operational improvement leads to measurable outcomes:  

• Faster validation of suspicious files and URLs: Teams can confirm malicious behavior in minutes through behavior-based analysis during triage. 

• Shorter investigation cycles: Analysts can observe full execution behavior in one environment without manually piecing evidence together across multiple tools. 

• Improved cross-platform detection coverage: Security teams can investigate platform-specific threats across macOS, Windows, Linux, and Android in a consistent workflow. 

• Higher productivity during triage: Less context switching helps analysts process more alerts per shift. 

• Reduced alert backlog during peak activity: Faster decisions help SOC teams keep queues under control during phishing waves and malware outbreaks. 

Advancing Server-Side Threat Analysis with Windows Server 

For many enterprise teams, critical infrastructure runs on Windows Server, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup. 

To close that gap, ANY.RUN Sandbox now supports analysis in a Windows Server environment. This gives security teams a way to observe attack behavior in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools. 

This addition helps teams strengthen infrastructure-focused triage and response: 

• Better visibility into server-specific techniques: Teams can analyze behavior tied to domains, policies, and administrative utilities in a more relevant environment. 

• Stronger investigation confidence for infrastructure threats: Analysts can validate whether a sample affects server-side services or critical business systems before escalating. 

• More effective detection and response preparation: Security teams can collect artifacts, refine detections, and improve incident playbooks for Windows Server scenarios. 

Threat Coverage Updates 

In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse. 

This month’s updates include: 

• 91 new behavior signatures 
• 1,293 new Suricata rules 

These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader behavior, and suspicious use of built-in system tools. 

New Behavior Signatures 

In March, we added 91 new behavior signatures to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity. 

These updates improve visibility into behaviors often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis. 

Highlighted families and detections include: 

New behavior-based detections also cover: 

Together, these additions give security teams broader behavioral coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions. 

New Suricata Rules 

In March, we added 1,293 new Suricata rules to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic. 

Key highlights include: 

• Credential theft via Telegram API (sid: 84001778): Tracks adversary attempts to exfiltrate victim’s email & password via Telegram Bot API 

• MS OAuth Device Code phish / EvilTokens activity (sid: 84001845): Identifies usage of emerged attack technique that exploits legitimate OAuth 2.0 device authorization flows to gain control over victims’ Microsoft 365 accounts

• DinDoor backdoor HTTP activity (sid: 85006556): Detects Iran-linked MuddyWater (TA450) actor’s new backdoor attempts to establish C2 communication via HTTP

Threat Intelligence Reports 

In March, our team published new Threat Intelligence Reports on emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques.

Available as part of ANY.RUN’s TI Lookup Premium plan, these reports help security teams better understand active threats and investigate them with stronger context.

• VIDAR, VENON, and SLOPOLY: This report covers a polymorphic stealer, a Rust-based banking RAT, and a PowerShell backdoor tied to the Hive0163 ecosystem, with a focus on their behavior, artifacts, and detection opportunities. 

• Steaelite, BlackReaper, and Jigsaw: This brief looks at three threats combining credential theft, remote access, persistence, and ransomware behavior, including Telegram-based control and file encryption activity. 

• PhantomProxyLite, Rutsstager, Steaelite RAT, and Nopname: This report explores tunneling, registry-based staging, data theft, and ransomware, showing how these threats mix stealth techniques with clear forensic traces. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and threat intelligence solutions built to support modern security operations. 

By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier. 

Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, compliance, and workflow demands of real-world security operation

Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization → 

The post Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections  appeared first on ANY.RUN's Cybersecurity Blog.

As always, the conference brought together security leaders, vendors, and practitioners from around the world. For the ANY.RUN team, it was a packed few days of meetings with customers and partners, insightful presentations, and strong industry recognition. 

ANY.RUN at RSAC 2026 

This year, ANY.RUN was represented at RSAC by our CCO, Alex, who attended the conference to meet with partners and customers, discuss ongoing collaborations, and exchange insights on evolving threat detection challenges. 

Beyond scheduled meetings, RSAC also provided an opportunity for deeper conversations in a more informal setting, including a partner dinner where key topics around SOC workflows, threat intelligence, and detection strategies were discussed. 

These interactions are an important part of how we continue to align ANY.RUN’s solutions with real-world needs across security teams and MSSPs. 

Industry Recognition at Global InfoSec Awards 2026 

During RSAC 2026, ANY.RUN was honored at the Global InfoSec Awards 2026, organized by Cyber Defense Magazine. 

We received recognition in two categories: 

• Innovative Malware Analysis for Interactive Sandbox 

• Market Leader in Threat Intelligence  

The recognition reflects what our solutions deliver in practice: higher detection rates, lower MTTR, and faster decision-making through interactive analysis and real threat context. It highlights unified workflows that keep investigations within a single process from monitoring to response, along with the ability to scale across both enterprise SOCs and MSSPs. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and actionable threat intelligence designed for modern security teams. 

Our solutions combine an Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds to help SOC and MSSP teams analyze threats faster, investigate incidents with deeper context, and detect emerging attacks earlier. 

Trusted by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN maintains a strong focus on data protection and compliance, while continuously evolving its solutions to address real-world threat detection and investigation challenges for SOCs and MSSPs. 

The post ANY.RUN at RSAC™ 2026: Highlights & Industry Recognition appeared first on ANY.RUN's Cybersecurity Blog.

As ANY.RUN’s analysis shows, threat actors applied multi-step checkout hijacking, payment page mimicry, and WebSocket-based exfiltration of card data. 

This report provides both executive-level insights and technical analysis of the campaign. 

Key Takeaways 

• The campaign demonstrates long-term persistence (24+ months) supported by highly resilient infrastructure. 

• Banks (not merchants) bear the primary impact, as stolen card data leads to fraud losses and reputational risk. 

• Payment system mimicry (notably Redsys) significantly increases attack success by embedding fraud into trusted user flows. 

• Use of WebSocket exfiltration reduces visibility in traditional security monitoring tools. 

• Multi-stage, dynamically delivered payloads allow attackers to adapt quickly and evade disruption. 

• The campaign is global but regionally tailored, leveraging localized payment ecosystems to enhance credibility. 

Campaign Overview 

A large-scale magecart operation has been identified, active for at least 24 months and supported by over 100 domains. In observed cases, threat actors deployed a multi-stage checkout hijacking framework, incorporating: 

• Payment step substitution  

• WebSocket-based exfiltration of payment card data 

• Payment page mimicry, including infrastructure-level impersonation of legitimate providers (notably Redsys)

• Dynamic frontend adaptation of payment interfaces matching different storefronts and scenarios

A total of 17 WooCommerce websites were infected between February 2024 and April 2025 and are likely linked to this campaign, reflecting its longevity and operational stability. 

Industrial and Regional Context Behind Global Impact 

The geographic scope is of the campaign is global. Among the victims are organizations from at least 12 countries, including the United Kingdom and Denmark. However, there’s a notable concentration of such incidents in Spain, France, and United States. 

Some cases are confirmed directly via telemetry and network traffic, while others are identified via infrastructural correlation. 

From an industry perspective, mostly retail e-commerce companies were targeted, although in some cases, non-commercial organizations have been affected, too. 

However, the primary pressure here falls on banks, as cardholders faced financial exposure and their trust in payment systems suffered. 

Why Redsys and Spanish Payment Context Stand Out 

Despite the global impact, the ties to Spain and its payment ecosystem in particular are obvious in this magecart campaign.  

Mimicry of RedSys, a payment system used in Spain, lies in the foundation of the attacks. The campaign infrastructure features domains and visual artifacts designed to fit Spanish payment context. In some cases, user payment flows included legitimate Redsys domain sis.redsys.es for added credibility. 

The approach made the malicious activity of the campaign convincing within Spanish payment context. 

What Makes This Campaign Durable 

Payment Mimicry  

A significant portion of the infrastructure is registered via NICENIC INTERNATIONAL GROUP and disguised as legitimate web services, including analytics platforms, CDN resources, jQuery libraries, andpayment services. If you access them directly, they’ll act as technical placeholders or will simulate legitimate redirects. This complicates attribution. 

Multi-Stage Delivery Architecture 

The injected JavaScript contains only a minor loader that connects to external infrastructure, receives configuration data, and loads the next stage. The loader uses the fallback mechanism: it iterates through backup domains until a valid response is received. This allows the campaign to go on even if some components of the infrastructure get blocked. 

Dynamic Payload Delivery 

The next stage isn’t openly stored inside an infected file. It’s delivered dynamically via a staging response. Thanks to this, the operators modify delivery domains, payload paths, and control infrastructurewithout infecting the website again.  

Different domains aren’t necessarily serve different campaigns. Instead, they have different roles: staging responses, payload delivery, or for WebSocket/C2 and command handlers. 

Other Factors 

• State persistence in localStorage 

• Masquerading as legitimate external dependencies  

• WebSocket usage as a channel for control and exfiltration 

As a result, the compromised website becomes only an initial access point. Subsequent payload delivery and data exfiltration can be flexibly modified inside the external infrastructure. 

Technical analysis 

Initial Loader Delivery and Execution 

Following the compromise of a website, attackers modify one of the site’s embedded JavaScript files with a small, obfuscated loader. It doesn’t feature the main card-stealing logic but acts as an initialdelivery tool. It executes in the victim’s browser and receives parameters for the next stage from external infrastructure. 

Next, the obfuscated part of the loader refers to one of the pre-determined domains from the fallback infrastructure list. It returns a JSON configuration featuring the next stage’s address, WebSocket/C2 server address, and an extra HTTP handler for auxiliary communication. 

These values are delivered as encoded arrays of numeric character codes, which are then decrypted in the victim’s browser. 

In case no response was received or the JSON was invalid, the loader automatically switches to the next domain from the list. This mechanism ensures continued operation even in the presence of partial infrastructure disruption or blocking. 

Stage 1: Malicious Payload Delivery and Execution 

After receiving a valid staging response, the loader takes the URL of the next JavaScript and dynamically adds it to the DOM via a new <script src=…> element. 

Code fragment responsible for the execution of the malicious activity 

At this point, the primary malicious payload is loaded into the page. Notably, this payload may be delivered from different domains, such as: 

jquerybootstrap[.]com 

newassetspro[.]com 

assetsbundle[.]com 

bundlefeedback[.]com 

and others. 

In any case, the delivery stage is the same. The operators rotate payload sources to increase the infrastructure’s durability. 

Stage 2: Payment Step Activation 

After loading, the main payload begins executing within the context of the store’s webpage and waits for the checkout/payment DOM to appear. 

At this stage, it: 

• monitors the opening of the payment step; 

• interacts with checkout elements; 

• replaces or overlays the legitimate payment interface; 

• injects its own elements, including iframes and custom buttons; 

• hides the real payment confirmation elements. 

Once checkout is loaded, payment hijacking begins. 

Observed Code Patterns Indicative of Payment Hijacking 

In some cases, the mimicry is built around a payment scenario that is visually and logically close to a legitimate PSP flow. In cases related to Spain Redsys mimicry is especially notable, but payment overall can adapt to storefronts, countries, and local PSPs. 

Script Deobfuscation 

The core payload waits for the checkout form to appear and is responsible for the reception, validation, and sending payment data from the fake payment form. 

Notable Code Features Inside the Script 

The payload adapts to user environments with frontend localization capabilities and supports multiple languages: English, Spanish, Arabic, French.   

There’s a state machine with the following states: init, return, confirm, alert, getData, allowing for controlled progression through the attack lifecycle. 

Code for handling WebSocket connections to the C2 server for the control of the attack flow.  Part 1.

Code for handling WebSocket connections to the C2 server. Part 2

An example of the final result of the mimicry can be seen below:

There’s a heavily obfuscated JavaScript inside the HTML page. It uses techniques like that to avoid detection: 

• Anti-tampering: code integrity is verified via function serialization, as well as bitwise & arithmetical operations. 

• Virtualization: Custom VM’s opcodes, symbolic execution, code strings executed via eval call. 

The strings that are stored in an obfuscated form are decrypted using the VM: 

The payload is responsible for the formatting and validation of Visa/Mastercard payment data that are entered into the fake form, as well as UI state modification, and event or data delivery via postMessagemethod:

Stage 3: Connecting to Control Infrastructure 

After activation, the malicious payload establishes a connection to the control infrastructure, e.g., via WebSocket. 

This channel is used for: 

• transmitting service events; 

• sending BIN (Bank Identification Number) data; 

• transmitting full payment card details; 

• receiving additional commands to control the replaced payment flow. 

In one of the analyzed cases, WebSocket was used as the primary channel for card data exfiltration, while the C2 server was disguised as a Redsys domain (redsysgate[.]com). 

During the skimmer’s operation, it retrieves malicious JavaScripts from URLs that look like so: 
hxxps://<c2_domain>/<base64_text>.js?_=<digits> 

Then, WebSocket connections are used for control and data transmission at: 
wss://<c2_domain>/?token=<base64_data> 

When the user enters their data, an event is sent containing the exfiltrated information. In response, the server provides instructions on what to do next and what content to display, such as the logo of the payment system associated with the entered card (Visa/MasterCard). 

This is important for the understanding of the campaign: attackers are not simply stealing card data, they embed exfiltration into a seemingly legitimate payment context. 

Stage 4: Interception and Transmission of Payment Data 

When a user enters their card details into the spoofed payment interface, the payload takes them to the attackers’ external infrastructure. 

The following data was being transmitted in network traffic: 

• BIN 

• full card number 

• expiration date 

• CVV 

The transmission does not occur via a standard form POST request, but instead through a separate WebSocket channel, making detection via conventional HTTP logs more difficult. 

Importantly, within the same cluster, the visual scenario of the attack may vary. In some cases, Redsys-themed mimicry is observed; in others, PayPlug-like or generic card form scenarios are used. 

This does not necessarily indicate different campaigns: within a single malware family, the same loader, staging infrastructure, and exfiltration mechanism may be reused while applying different front-end disguises. 

Additional Vector: Distribution of Android APK via the Same Inject 

In addition to manipulating the payment step and stealing card data, the same malicious payload was also used as a platform to push the installation of an Android application in APK format. 

The script checked the user’s environment and, if certain conditions were met, displayed a separate mobile scenario offering the user to download an app. This included promises of discounts or bonuses, along with instructions on how to enable installation from “Unknown Sources.” 

Based on the contents of the payloads, this scenario was localized into at least several languages, including English, Spanish, Arabic, and French. This indicates that the campaign was targeting a broad international audience and relied on a prepared, rather than ad hoc, infrastructure. 

This scenario had several localization options, including English, Spanish, Arabian, and French, indicating the campaign’s global focus targeting particular, not random infrastructures. 

Conclusion 

This magecart campaign reflects a shift from opportunistic skimming toward structured, infrastructure-driven payment attacks. By combining checkout hijacking, high-fidelity payment mimicry, and real-time exfiltration, attackers embed malicious activity directly into legitimate transaction flows. This not only increases effectiveness but also complicates detection and response. 

Deep visibility into active attacks and continuous threat monitoring are required for efficient detection and prevention of such breachers.

About ANY.RUN 

ANY.RUN delivers interactive malware analysis and actionable threat intelligence, enabling security teams to investigate threats more efficiently, gain clearer visibility into attacker behavior, and respond with greater confidence. 

We focus on: 

• Maintaining SOC 2 Type II certification and a strong commitment to safeguarding customer data 

• Continuously enhancing our Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds to support monitoring, triage, and incident response workflows 

• Enabling SOC and MSSP teams to accelerate analysis, improve investigative context, and detect emerging threats at early stages 

Analysis and Investigation Data 

Link to TI Lookup query 

Browse TI Lookup for related threats 

Links to sandbox analyses 

Case 1: Confirmed checkout hijacking and WebSocket exfiltration of BIN, PAN, expiry date, and CVV. 

View analysis 

Case 2: The same loader cluster and staging infrastructure but without confirmed card exfiltration (possibly due to redirection to a legitimate external payment flow) 

View analysis 
Case 3: Confirmed use of the same loader cluster and staging infrastructure. 

View analysis 

Indicators of Compromise (IOCs)

Payload URL: hxxps[:]//<c2_domain>/<base64_text>.js?_=<digits>  

C2 WebSocket URL: wss[:]//<c2_domain>/?token=<base64_data>  

bundle-feedback[.]com  

doubleclickcache[.]com  

analyticsgctm[.]com  

hotjarcdn[.]com  

firefoxcaptcha[.]com  

solutionjquery[.]com  

jquerybootstrap[.]com 

assetsbundle[.]com 

bundle-referrer[.]com 

categorywishlist[.]com 

cachesecure[.]com  

securedata-ns[.]com  

analysiscache[.]com  

newassetspro[.]com  

explorerpros[.]com  

redsysgate[.]com 

The post Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud  appeared first on ANY.RUN's Cybersecurity Blog.

We’re especially proud and grateful that our impact for the industry has been acknowledged in two categories at once: 

• Innovative Malware Analysis for Sandbox 

• Market Leader Threat Intelligence  

This dual recognition reflects the approach to cybersecurity we prioritize: supporting the full SOC workflow by combining advanced malware and phishing analysis with integrated threat intelligence. 

What Made This Possible 

As highlighted by the award founders at CDM, ANY.RUN matched the values they looked for in participants:  

We believe that ANY.RUN’s repeated presence high in industry rankings reflects its ability to address operational challenges across the investigation cycle. Our solutions support enterprise security teams as they successfully: 

• Unify SOC Workflow: ANY.RUN offers a single ecosystem that streamlines monitoring, triage, and incident response without tool switching. 

• Accelerate Decision-Making: Interactive malware analysis combined with contextual threat intelligence delivers immediate insights, no external double-checking needed. 

• Scale Operations for SOCs and MSSPs: Standardized workflows and integrated intelligence empower teams of any size. 

Community Trust in Numbers 

ANY.RUN is used broadly by organizations with high security requirements, including the world’s largest enterprises: 

• We support 15,000+ SOCs and 600,000+ analysts in accelerating investigations, reducing risk, and improving operational outcomes across industries. 

• 74% of Fortune 100 companies rely on ANY.RUN for malware analysis and threat investigation workflows.   

We’re deeply thankful for customers, partners, and community for their continued trust. We appreciate every contribution and piece of feedback and process them to maintain high standards we set for our solutions. 

More on Global InfoSec Awards 2026  

Global InfoSec Awards 2026 is organized by Cyber Defense Magazine, a premier source of cyber security news and information for InfoSec professions in business and government. 

With a mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products, and services in the information technology industry, they deliver monthly magazines, as well as special editions for the RSAC Conferences.    

The award’s judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and actionable threat intelligence that enable security teams worldwide to investigate threats faster, understand attacker behavior more clearly, and respond with greater confidence. 

We prioritize: 

• Maintaining SOC 2 Type II certification and commitment to protect customer data. 

• Constantly improving Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds for support across monitoring, triage, and response SOC processes. 

• Helping SOC and MSSP teams accelerate analysis, gain deeper context during investigations, and identify emerging threats earlier. 

The post ANY.RUN Recognized for Innovations and Market Leadership at Global InfoSec Awards 2026   appeared first on ANY.RUN's Cybersecurity Blog.

Let’s explore the Kamasers botnet through both technical and behavioral analysis, looking at the commands it receives, the geographic distribution of its attacks, and the functions implemented in the malware sample. Together, these elements help reveal how Kamasers operates and why it poses a serious threat to organizations worldwide

Key Takeaways 

• Kamasers is a sophisticated DDoS botnet that supports both application-layer and transport-layer attacks, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding. 

• The malware can also act as a loader, downloading and executing additional payloads, which raises the risk of further compromise, data theft, and ransomware deployment.

• Its C2 infrastructure is resilient, using a Dead Drop Resolver (DDR) through legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and even Etherscan to retrieve active C2 addresses. 

• Analysis showed that Railnet ASN repeatedly appeared in malicious activity tied to multiple malware families, making it a notable infrastructure element in the broader threat landscape. 

• Kamasers was observed being distributed through GCleaner and Amadey, showing that it fits into established malware delivery chains. 

• The botnet’s activity is international, with strong submission visibility in Germany and the United States, while targeting extends across sectors including education, telecom, and technology.

The Business Risk Behind Kamasers 

Kamasers is a flexible attack platform that can turn compromised enterprise systems into operational liabilities, external attack infrastructure, and potential entry points for deeper compromise: 

• Corporate infrastructure can be turned against others: Infected enterprise systems may be used to launch DDoS attacks on third parties, creating reputational, contractual, and even legal risk for the organization. 

• A broader incident can follow quickly: Because Kamasers can function as a loader, a single infection may lead to additional payload delivery, raising the risk of data theft, ransomware, and deeper intrusion. 

• Visibility gaps become harder to defend: The malware uses legitimate public services to retrieve C2 information, making malicious communication more difficult to detect and increasing the chance of delayed response. 

• Response costs rise fast: Investigating infected hosts, validating external impact, restoring systems, and handling possible IP blacklisting can create significant operational and financial strain. 

• Business trust can be affected early: If company infrastructure is linked to malicious traffic, customers, partners, and providers may react before the full incident is even understood. 

Kamasers highlights a serious enterprise risk: attackers can use resilient C2 discovery, flexible attack methods, and follow-on payload delivery to turn a single compromise into an incident with operational, financial, compliance, and reputational consequences. 

Kamasers Threat Overview 

Kamasers is a malware botnet family designed to carry out DDoS attacks using both application-layer and transport-layer vectors. It supports HTTP GET/POST floods, API-targeted attacks, defense evasion techniques, TLS handshake exhaustion, connection-holding methods, as well as UDP and TCP floods. Infected nodes receive commands from the command-and-control infrastructure and generate the corresponding traffic. In addition, Kamasers can also function as a loader, downloading and executing files from the network. 

ANY.RUN previously observed activity associated with Udados, which is most likely an evolution or updated version of Kamasers. As such, Udados can be considered part of the Kamasers family. 

You can find public sandbox analysis sessions related to the Kamasers family with the following Threat Intelligence Lookup query: 

threatName:”kamasers” 

If a corporate host becomes part of a botnet and is used to carry out DDoS attacks, the organization may face financial risks related to incident response, system recovery, network costs, and potential contractual penalties, as well as regulatory scrutiny if inadequate security measures are identified, especially in cases involving data compromise. 

An additional risk stems from the malware’s ability to act as a loader, downloading and executing third-party payloads. This increases the likelihood of further intrusion, data exfiltration, ransomware deployment, and the resulting operational and reputational damage. 

C2 and Infrastructure  

As part of the analysis, it was observed that the bot received the !httpbypass control command, which initiates an HTTP flood attack against a specified URL with defined intensity and duration parameters. After completing the attack, the bot reported its status and returned to standby mode. 

View analysis session 

 In the sandbox analysis session, we can see how a DDoS attack targets a domain: 

In a number of analysis sessions, the command-and-control server was used not only to coordinate DDoS activity, but also to deliver additional payloads. Specifically, the bot received the !downloadcommand, after which it downloaded and executed a file from an external domain, then confirmed successful session completion to the C2 server: 

View analysis session 

In one observed case, the bot received the !descargar command, the Spanish-language equivalent of !download, to retrieve an executable file from an external domain. 

View analysis session with C2 command in Spanish 

In some cases, the Kamasers botnet was observed using public blockchain infrastructure as an auxiliary mechanism for obtaining the C2 address. Specifically, infected hosts queried the Etherscan API(api.etherscan.io) to retrieve data containing the URL of the command-and-control server: 

View session querying the Etherscan API 

After obtaining the URL, the bot connects to the C2 server and sends information about its ID, command execution status, bot version, privileges on the infected host, C2 discovery source, and system information: 

In a number of cases, Kamasers uses public services, including GitHub, as an auxiliary source of configuration: 

Check how Kamasers uses public services  

Behavioral analysis of Kamasers showed that the botnet frequently establishes connections to IP addresses associated with Railnet LLC’s ASN.

Railnet is regularly mentioned in public reporting as a legitimate front for the hosting provider Virtualine. This provider is known for the absence of KYC procedures, and some research has noted that the associated infrastructure is used to host malicious services and facilitate attacks. 

Railnet infrastructure has previously been observed in campaigns targeting both government and private-sector organizations across several European countries, including Switzerland, Germany, Ukraine, Poland, and France. 

There are also documented cases of Railnet infrastructure being used to distribute other malware families, including Latrodectus, which a number of reports link to activity associated with groups such as TA577. 

At the time of analysis, ANY.RUN data showed that Railnet’s ASN consistently appeared in reports tied to a wide range of malicious activity and was being used by multiple malware families. These were not isolated incidents, but a recurring pattern: the same ASN was repeatedly involved across different campaigns, making it a convenient infrastructure hub for threat actors. 

The current picture of Railnet activity can be quickly verified using ANY.RUN’s Threat Intelligence Lookup. Searching by ASN makes it possible to assess how extensively it is involved in malicious chains, which malware families interact with it, and how the nature of that activity changes over time: 

destinationIpAsn:”railnet” 

In the analyzed sandbox sessions, Kamasers was distributed via GCleaner and Amadey, a delivery pattern that has also been observed in other DDoS campaigns.

Attack Geography and Targeting 

Among the observed DDoS targets were companies in the LATAM region. However, according to ANY.RUN’s threat intelligence data, the targeting profile is broader: the education sector is affected most often, along with telecommunications and technology organizations. 

By geographic distribution of observed submissions, the largest share comes from Germany and the United States, with separate cases also recorded in Poland and other countries. During the analysis, control commands in Spanish were also observed. This may indirectly suggest that the botnet may have originated from, or evolved within, a Spanish-speaking operator environment, although its actual activity is clearly international in scope. 

It is also important to consider that the botnet uses the infrastructure of infected hosts to carry out attacks. If corporate systems are compromised, the organization may not only become a potential target itself, but also inadvertently serve as a source of attacks against third parties. This creates reputational risks, the possibility of IP address blacklisting, and additional financial costs related to investigation and infrastructure recovery. 

Technical Breakdown of Kamasers  

To better understand the Kamasers botnet architecture, a detailed sample analysis was conducted. The starting point was the sample from this ANY.RUN sandbox session:

Check analysis session 

This was followed by reverse engineering of the binary. The analysis focused primarily on how the malware receives and processes commands from the C2 server, as well as the attack capabilities implemented in the sample. 

After launch, the malware begins retrieving commands through a Dead Drop Resolver mechanism. It uses public services such as GitHub Gist, Telegram, Dropbox, and Bitbucket as intermediary sources. From these sources, the bot extracts the address of the real C2 server and then establishes a connection to it. 

Command processing takes place in several stages. First, the bot verifies that the command format is valid. All valid commands must begin with the “!” character. If this prefix is missing, the command is rejected and not executed. 

After validating the prefix, the bot matches the command against an internal handler table. The analysis showed that Kamasers uses a handler caching mechanism. If the previously used handler matches the current command index, the bot takes a fast path without performing another lookup. Otherwise, it triggers the dynamic resolution routine. 

This mechanism can be briefly described as shown in the pseudocode above. 

One of the most illustrative commands is !udppro. It implements a high-speed UDP flood with support for source IP spoofing. Code analysis shows the standard sequence for creating a UDP socket via the WinSock API using the AF_INET, SOCK_DGRAM, and IPPROTO_UDP parameters. 

After initializing the socket, the malware configures the packet transmission parameters. Support for IP spoofing enables reflection and amplification attacks through public NTP and DNS servers. In such scenarios, the victim receives responses that are significantly larger than the original requests, leading to a sharp increase in load.  

The !download command is also present, implementing a Download & Execute mechanism. The bot retrieves an executable file from the specified URL, checks for the MZ signature, allocates memory, maps the sections, and transfers execution to the entry point. If successful, it sends a task completion message; if an error occurs, it generates a failure notification. 

Implementation of Dead Drop Resolver Channels

Kamasers uses four Dead Drop Resolver channels: GitHub Gist, a Telegram bot, a file hosted on Dropbox, and a Bitbucket repository. Importantly, links to these services are not stored in the sample in plain form. Instead, they are constructed and unpacked dynamically at runtime, which is why such strings do not appear during static analysis of the binary. 

The Dead Drop Resolver (DDR) mechanism serves as an intermediary layer between the bot and the primary C2 server. After launch, the malware sequentially sends HTTP GET requests to each of the public resources. The content hosted there contains the current address of the command-and-control server. Once a response is received, the bot extracts the C2 address and establishes a direct connection to continue receiving commands. 

If the first source returns a valid address, no further requests are made. If the connection fails or the response is invalid, the bot automatically falls back to the next channel: Telegram, then Dropbox, and finally Bitbucket. 

All of these resources ultimately point to the same C2 infrastructure: 

If none of the DDR channels responds, the malware falls back to a built-in list of backup domains. 

Catching Kamasers Early: A Practical Detection Approach 

Kamasers shows how a single malware infection can quickly turn into a broader business problem. Beyond DDoS activity, the botnet can also download and execute additional payloads, increasing the risk of deeper compromise. 

For security teams, the challenge is not only spotting the malware itself but also understanding whether an infected host is being used for external attacks, communicating with resilient C2 infrastructure, or pulling in follow-on payloads. 

Early detection depends on moving quickly from suspicious network activity to confirmed malicious behavior. 

1. Monitoring: Spot Malicious Infrastructure and Unusual Network Behavior Early 

Kamasers relies on external infrastructure to receive commands, retrieve C2 addresses, and in some cases download additional payloads. It also uses public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and even Etherscan as part of its Dead Drop Resolver logic. 

Monitoring for suspicious outbound connections, newly observed infrastructure, and repeated communication with known malicious hosting can help teams detect activity before the infection leads to larger operational impact. 

ANY.RUN’s Threat Intelligence Feeds help surface suspicious indicators early, giving SOC teams faster visibility into malicious domains, IPs, and infrastructure patterns linked to emerging threats. 

2. Triage: Confirm Botnet Activity with Behavior-Based Analysis 

With threats like Kamasers, static detection alone may not show the full risk. A suspicious file may appear inconclusive until its real behavior is observed during execution. 

Running the sample inside the ANY.RUN interactive sandbox makes it possible to confirm the full execution flow, including: 

• retrieval of C2 data through Dead Drop Resolver channels 
• connection to the active command-and-control server 
• receipt and execution of DDoS commands 
• download-and-execute behavior through commands like !download or !descargar 
• status reporting back to the C2 infrastructure 

This helps teams quickly determine whether the malware is only participating in DDoS activity or whether it also creates risk of further payload delivery and deeper compromise. 

3. Threat Hunting: Pivot from One Sample to Related Infrastructure 

Once Kamasers is confirmed, the next step is understanding how far the activity may extend. 

Using ANY.RUN’s Threat Intelligence Lookup, teams can pivot from the initial sample to uncover related infrastructure, connected sessions, and recurring patterns across the broader campaign. 

This makes it possible to: 

• identify other samples tied to the Kamasers family 
• trace infrastructure linked to the botnet’s C2 activity 
• investigate repeated use of ASN-linked hosting such as Railnet
• expand detection based on shared behavior and network indicators 

threatName:”kamasers” 

By pivoting from one confirmed sample, security teams can turn a single investigation into broader visibility across related botnet activity. 

Conclusion 

Kamasers is a sophisticated DDoS botnet with a well-designed architecture. Its use of a Dead Drop Resolver through legitimate services makes its C2 infrastructure highly resilient to takedown efforts. The presence of 16 different attack methods, including modern vectors such as GraphQL and HTTP bypass, along with advanced implementations of classic techniques, makes Kamasers a highly versatile tool for carrying out DDoS attacks. 

For business leaders, Kamasers shows that resilient, multi-vector botnets can threaten not only infrastructure, but also uptime, customer experience, and revenue-critical operations. 

Power faster, clearer investigations with ANY.RUN ➜ 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from initial alert to final containment.  

It allows teams to safely execute suspicious files and URLs, observe real behavior in an interactive environment, enrich indicators with immediate context through TI Lookup, and continuously monitor emerging infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.  

ANY.RUN also meets enterprise security and compliance expectations. The company is SOC 2 Type II certified, reinforcing its commitment to protecting customer data and maintaining strong security controls.  

Complete List of Kamasers Commands 

Indicators of Compromise (IOCs)   

• F6c6e16a392be4dbf9a3cf1085b4ffc005b0931fc8eeb5fedf1c7561b2e5ad6b
• Dd305f7f1131898c736c97f43c6729bf57d3980fc269400d23412a282ee71a9a
• hxxp://45[.]151[.]91[.]187/pa[.]php
• hxxp://91[.]92[.]240[.]50/pit/wp[.]php
• 071a1960fbd7114ca87d9da138908722d7f1c02af90ea2db1963915fbe234c52
• hxxp://178[.]16[.]54[.]87/uda/ph[.]php

C2 Infrastructure (DDR): 

• gist[.]github[.]com/pitybugak/5d16b75e8bd071e15b04cc9c06dcfafa[.]js
• api[.]telegram[.]org/bot8215158687:AAFgSmsaxfsJozcHIIYPv-HytZ3eCEaUrKg
• dl[.]dropboxusercontent[.]com/s/jqvpmc0kwg6ffi1mineh2/fj[.]txt
• Bitbucket[.]org/serky/repyx/raw/main/fq[.]txt

Fallback domains: 

• pitybux[.]com
• ryxuz[.]com
• toksm[.]com
• Boskuh[.]com

Yara rules: 

rule Kamasers { 

    meta: 

        description = “Detects Kamasers DDoS botnet” 

        author = “ANY.RUN” 

        date = “2026-02-11” 

        threat = “Kamasers” 

    strings: 

        $cmd1 = “!stop” ascii fullword 

        $cmd2 = “!download” ascii fullword 

        $cmd3 = “!visiturl” ascii fullword 

        $cmd4 = “!httpget” ascii fullword 

        $cmd5 = “!httpgetpro” ascii fullword 

        $cmd6 = “!httppost” ascii fullword 

        $cmd7 = “!tlsflood” ascii fullword 

        $cmd8 = “!httpbypass” ascii fullword 

        $cmd9 = “!graphql” ascii fullword 

        $cmd10 = “!httphulk” ascii fullword 

        $cmd11 = “!fastflood” ascii fullword 

        $cmd12 = “!proloris” ascii fullword 

        $cmd13 = “!slowread” ascii fullword 

        $cmd14 = “!udppro” ascii fullword 

        $cmd15 = “!tcppro” ascii fullword 

        $cmd16 = “!tcphold” ascii fullword 

        $msg1 = “Task completed:” ascii fullword 

        $msg2 = “Task completed: GraphQL Flood on” ascii fullword 

        $msg3 = “Task completed: HULK on” ascii fullword 

        $msg4 = “Task completed: UDPPRO Flood on” ascii fullword 

        $msg5 = “Task completed: TCPPRO Flood on” ascii fullword 

        $msg6 = “Task completed: TCP HOLD on” ascii fullword 

        $msg7 = “Task completed: Download & Execute from” ascii fullword 

        $msg8 = “Task completed: Visit URL” ascii fullword 

        $msg9 = “Starting GraphQL Flood on” ascii fullword 

        $msg10 = “Starting HULK on” ascii fullword 

        $msg11 = “Starting UDP PRO on” ascii fullword 

        $msg12 = “Starting TCP PRO on” ascii fullword 

        $msg13 = “Starting TCP HOLD on” ascii fullword 

        $msg14 = “Starting Visit URL task on” ascii fullword 

        $msg15 = “Runtime error in D&E task:” ascii fullword 

        $msg16 = “Unknown exception in DownloadAndExecuteTask” ascii fullword 

        $msg17 = “Awaiting task” ascii fullword 

        $msg18 = “Downloading file from:” ascii fullword 

        $msg19 = “Downloaded file disappeared (AV/EDR?)” ascii fullword 

        $msg20 = “Download failed with HRESULT:” ascii fullword 

        $msg21 = “HTTP GET Flood” ascii fullword 

        $msg22 = “HTTP GET PRO” ascii fullword 

        $msg23 = “HTTP POST Flood” ascii fullword 

        $msg24 = “HULK_POST” ascii fullword 

    condition: 

        uint16(0) == 0x5A4D and 

        (10 of ($cmd*)) and 

        (8 of ($msg*)) 

} 

The post Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide  appeared first on ANY.RUN's Cybersecurity Blog.

In this new addition to our success story series, we explore how the healthcare organization’s SOC team improved detection, triage, and response efficiency while maintaining the existing operational processes. 

Organization Overview 

Health Shared Services is a healthcare support organization based in Alberta, Canada.  Its SOC team consists of 16 analysts with approximately 130,000 endpoints and 160,000 employees to secure. 

Key Challenge: Limited Threat Visibility During Investigations 

For SOCs supporting large organizations, it’s critical to recognize the time to scale to keep pace with growing infrastructure and current threat landscape.  

At Health Shared Services, the security team eventually traced several operational issues back to a single underlying limitation: their previous solution did not provide enough visibility into what suspicious files and URLs actually did after execution. 

Analysts often lacked the behavioral context needed to quickly understand whether a threat was real and how it could impact their environment. 

“Missing critical pieces of information for executed samples reduced our time to investigate, which was frustrating and preventable.” 

Without detailed behavioral insights, faced several consequences: 

• Extended incident resolution time: Limited threat context, e.g., lack of logs and information on executed payloads in their previous solutions, increased MTTR, leaving the infrastructure more exposed to potential threats. 

• Limited time for proper investigation: Missing critical pieces of information on analyzed samples also led to rushed decisions, leaving little room for deeper insights. 

• Team morale challenges: Visibility gaps that could have been addressed with a more context-rich solution led to frustration and fatigue among SOC team members. 

That’s why when Health Shared Services’ previous security solution expired, the team’s leader took the opportunity to reassess their approach and look for a solution that could support their work better. 

Why Health Shared Services Chose ANY.RUN 

When searching for a new security solution, the organization’s Interim CISO considered several key factors: 

• Community reputation 

• Cost efficiency 

• Investigative capabilities 

According to the security leader, ANY.RUN’s Interactive Sandbox stood out in each of these areas. 

The solution is acknowledged and frequently recommended among cybersecurity experts, remains a reasonably priced option for enterprise teams, and provides unique capabilities not commonly offered by other solutions. 

Decision-makers at the healthcare organization also viewed ANY.RUN’s sandbox as more than a solution that simply facilitates malware analysis, but a driver for better metrics across SOC processes: 

“ANY.RUN provided not only the fundamentals needed to complete our investigations but also improved our mean time to resolve incidents.” 

How Health Shared Services Implemented ANY.RUN’s Sandbox 

The organization’s Interim CISO shared that when implementing ANY.RUN’s solution, the team didn’t need to redesign their core processes. Instead, the SOC refined their investigation cycle and reached better results without significant workflow changes. 

They saw improvements across several operational areas since adopting ANY.RUN: 

• Better detection: detailed threat data empowers analysts to process incidents with higher accuracy. 

• Stronger triage: low false-positive rate (FPR) makes it easier and faster to process alerts. 

• Faster response: efficient reporting and behavioral artifacts support more confident decisions. 

The Interim CISO noted that the solution also improved the team’s ability to communicate investigation findings to leadership: 

“It enhanced our team’s time to complete investigations and aided us in providing specific details for executive questions.” 

Performance Impact  

By executing suspicious files in ANY.RUN and reviewing behavioral artifacts, analysts were able to gather the context that had previously been missing during investigations. 

From a leadership standpoint, the most important improvement has been the impact on SOC performance metrics and investigation confidence. For analysts, this looks like the ability to understand threats faster and deeper.  

Key benefits observed by the SOC team 

Through these outcomes, the team was able to strengthen their ability to respond to security incidents effectively, covering all key challenges they had to face, from alert fatigue to high MTTR.  

“ANY.RUN has bettered our SOC’s key metrics like MTTD and MTTR by providing a mature solution to sandboxing that is both well received by executives and the analysts.” 

The organization continues to use ANY.RUN and plans to integrate our solutions with their SOAR platform in the future. 

Conclusion 

For Health Shared Services, adopting ANY.RUN strengthened their existing SOC operations without requiring major workflow changes. 

This case highlights how large enterprises across industries benefit from deep threat context, real-time behavioral insights, and efficient reporting ANY.RUN offers.  

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, integrates seamlessly into modern SOC operations. It supports investigations from triage to incident response, improving metrics like DR and MTTR. 

ANY.RUN’s Interactive Sandbox aids in deep threat behavior observation, while threat intelligence solutions Threat Intelligence Lookup and Threat Intelligence Feeds empower analysts with rich community-sources context. 

Over 600,000 SOC analysts across 15,000+ teams rely on ANY.RUN’s solutions. SOC 2 Type II certification allows us to protect customer data and maintain strong security controls.  

The post Canada-Based Organization Health Shared Services Accelerates SOC Investigations with ANY.RUN  appeared first on ANY.RUN's Cybersecurity Blog.