Top 10 last week's threats by uploads π
β¬οΈ #Xworm 1044 (641)
β¬οΈ #Lumma 479 (476)
β¬οΈ #Asyncrat 398 (275)
β¬οΈ #Quasar 371 (390)
β¬οΈ #Vidar 370 (292)
β¬οΈ #Remcos 318 (271)
β¬οΈ #Stealc 282 (174)
β¬οΈ #Agenttesla 193 (167)
β¬οΈ #Guloader 176 (171)
β¬οΈ #Smoke 160 (164)
π Explore malware in action
#Top10Malware
β¬οΈ #Xworm 1044 (641)
β¬οΈ #Lumma 479 (476)
β¬οΈ #Asyncrat 398 (275)
β¬οΈ #Quasar 371 (390)
β¬οΈ #Vidar 370 (292)
β¬οΈ #Remcos 318 (271)
β¬οΈ #Stealc 282 (174)
β¬οΈ #Agenttesla 193 (167)
β¬οΈ #Guloader 176 (171)
β¬οΈ #Smoke 160 (164)
π Explore malware in action
#Top10Malware
β€8πΎ4π₯3
β οΈ If youβre driving faster response, improving detection coverage, or fighting constant alert overload, this webinar is for you.
Explore a 3-step workflow to cut MTTR, detect threats earlier, and boost performance without adding headcount.
π November 25
π Register and bring your team
Explore a 3-step workflow to cut MTTR, detect threats earlier, and boost performance without adding headcount.
π November 25
π Register and bring your team
β€8π4π2
π¨ RondoDox botnet exploits 56 vulnerabilities across 30+ vendors to compromise routers, DVRs & enterprise systems.
Uncover RondoDox "exploit shotgun" strategy.
π Dive into detection, prevention, & TI tips
Uncover RondoDox "exploit shotgun" strategy.
π Dive into detection, prevention, & TI tips
β€8πΎ4π₯2
Phishing activity in the past 7 days π
π Track latest phishing threats in TI Lookup
#TopPhishingThreats
π Track latest phishing threats in TI Lookup
#TopPhishingThreats
β€8πΎ4π€―2
π§ Drowning in phishing alerts, a healthcare MSSP turned things around with #ANYRUN.
Outcome: triage time cut by 76%
See how our sandbox and TI reshaped their workflow, in the SOC leaderβs own words.
π Read the success story
Outcome: triage time cut by 76%
See how our sandbox and TI reshaped their workflow, in the SOC leaderβs own words.
π Read the success story
β€10π3π₯2
β οΈ Gunra is a fast-growing ransomware using Conti-based code and double extortion.
It targets Windows/Linux systems in healthcare, manufacturing, and other sectors worldwide, deletes recovery options, and encrypts data across entire networks.
πΎ View Gunra sample analysis
π Read the full breakdown
It targets Windows/Linux systems in healthcare, manufacturing, and other sectors worldwide, deletes recovery options, and encrypts data across entire networks.
πΎ View Gunra sample analysis
π Read the full breakdown
β€9πΎ3π€―2
β οΈ Supply chain attacks stay stealthy and disruptive. This DHL impersonation case showed HTML attachments slipping past filters and credential theft via a third-party form service.
π Explore the case against the energy sector.
π Explore the case against the energy sector.
β€6πΎ2π€―1
β οΈ Rundll32, certutil, mshta; attackers abuse them to load payloads without raising alerts.
Security teams using real-time analysis expose these LOLBin tactics fast.
π Learn how to achieve it inside your SOC
Security teams using real-time analysis expose these LOLBin tactics fast.
π Learn how to achieve it inside your SOC
π₯7πΎ3π2
β±οΈ Can a full phishing chain really be analyzed in ~60 seconds?
See our new breakdown on sandbox vs. manual workflows and how analysts get to the verdict faster.
π Learn how you can speed up detection in your SOC
See our new breakdown on sandbox vs. manual workflows and how analysts get to the verdict faster.
π Learn how you can speed up detection in your SOC
πΎ7β€2π2
π¨ JSGuLdr: Multi-Stage Loader Delivering PhantomStealer
TL;DR: We identified JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealer injected into msiexec.exe.
β οΈ The chain combines obfuscation, cloud-hosted payloads, COM-based execution, and fileless in-memory loading, making it difficult to detect with automated or static detection solutions.
Execution chain: wscript.exe β‘οΈ explorer.exe (svchost.exe) β‘οΈ explorer.exe (COM) β‘οΈ powershell.exe β‘οΈ msiexec.exe
π¨βπ» See analysis session
Stage 1οΈβ£: The sample is an obfuscated JScript script signed with a fake Authenticode certificate to bypass trust checks. It builds an encrypted PowerShell string and writes it to %APPDATA%\Registreri62, forming the second stage.
Through Shell.Application and Explorer COM interaction, the script launches powershell.exe under explorer.exe, masking the execution chain as normal user activity.
π― TTPs: Obfuscation (T1027), Signed binary proxy execution (T1553.006), COM interaction (T1559.001), Proxy execution via explorer.exe (T1218)
Stage 2οΈβ£: The PowerShell code decodes and runs %APPDATA%\Registreri62, reconstructing hidden commands (iex) and loading a new payload from Google Drive. The file is saved as an encrypted container for the third stage.
π― TTPs: Encrypted payload download (T1105), Cloud storage abuse (T1105), Local file staging (T1074.001)
Stage 3οΈβ£: Autorise131[.]Tel acts as an on-disk container for an in-memory payload.
The same PowerShell process decodes it, extracts bytes, and executes the result through Invoke-Expression, running PhantomStealer filelessly in memory.
The payload is injected into msiexec.exe, enabling PhantomStealer to steal data.
π― TTPs: Fileless execution (T1059.001), Reflective .NET module loading (T1620), Process injection (T1055), Proxy execution via msiexec.exe (T1218.007)
π Track similar activity and pivot from IOCs using this TI Lookup search query
#IOCs:
URL: hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd
Files: %APPDATA%\Registreri62, %APPDATA%\Autorise131[.]Tel
CMD: powershell.exe "$Citize=$env:appdata+'\Registreri62';$Guazuma=gc $Citize;$Aristape=$Guazuma[4460..4462] -join ''"
π Gain fast detection and full visibility with #ANYRUN. Sign up
#ExploreWithANYRUN
TL;DR: We identified JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealer injected into msiexec.exe.
β οΈ The chain combines obfuscation, cloud-hosted payloads, COM-based execution, and fileless in-memory loading, making it difficult to detect with automated or static detection solutions.
Execution chain: wscript.exe β‘οΈ explorer.exe (svchost.exe) β‘οΈ explorer.exe (COM) β‘οΈ powershell.exe β‘οΈ msiexec.exe
π¨βπ» See analysis session
Stage 1οΈβ£: The sample is an obfuscated JScript script signed with a fake Authenticode certificate to bypass trust checks. It builds an encrypted PowerShell string and writes it to %APPDATA%\Registreri62, forming the second stage.
Through Shell.Application and Explorer COM interaction, the script launches powershell.exe under explorer.exe, masking the execution chain as normal user activity.
π― TTPs: Obfuscation (T1027), Signed binary proxy execution (T1553.006), COM interaction (T1559.001), Proxy execution via explorer.exe (T1218)
Stage 2οΈβ£: The PowerShell code decodes and runs %APPDATA%\Registreri62, reconstructing hidden commands (iex) and loading a new payload from Google Drive. The file is saved as an encrypted container for the third stage.
π― TTPs: Encrypted payload download (T1105), Cloud storage abuse (T1105), Local file staging (T1074.001)
Stage 3οΈβ£: Autorise131[.]Tel acts as an on-disk container for an in-memory payload.
The same PowerShell process decodes it, extracts bytes, and executes the result through Invoke-Expression, running PhantomStealer filelessly in memory.
The payload is injected into msiexec.exe, enabling PhantomStealer to steal data.
π― TTPs: Fileless execution (T1059.001), Reflective .NET module loading (T1620), Process injection (T1055), Proxy execution via msiexec.exe (T1218.007)
π Track similar activity and pivot from IOCs using this TI Lookup search query
#IOCs:
URL: hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd
Files: %APPDATA%\Registreri62, %APPDATA%\Autorise131[.]Tel
CMD: powershell.exe "$Citize=$env:appdata+'\Registreri62';$Guazuma=gc $Citize;$Aristape=$Guazuma[4460..4462] -join ''"
π Gain fast detection and full visibility with #ANYRUN. Sign up
#ExploreWithANYRUN
β€7π₯4πΎ3
π‘ When alerts overwhelm your SOC, it's time to automate.
#ANYRUNβs Sandbox combines automation with interactivity to detonate multi-stage phishing, beat evasion, and deliver verdicts in seconds.
π See how it gives your team a measurable advantage
#ANYRUNβs Sandbox combines automation with interactivity to detonate multi-stage phishing, beat evasion, and deliver verdicts in seconds.
π See how it gives your team a measurable advantage
β€6π₯3π2
π¨βπ» How to cut MTTR?
Get actionable tips in a live webinar on November 25. In this session, our experts will demonstrate how to:
β Reduce MTTR by 21 minutes per incident
β Ensure early detection of new attacks
β Eliminate alert fatigue
β Achieve a 3x performance boost
Who should join?
SOC leaders, security managers, CISOs, and analysts of all tiers looking to improve the security posture.
π― Register and bring your team
Get actionable tips in a live webinar on November 25. In this session, our experts will demonstrate how to:
β Reduce MTTR by 21 minutes per incident
β Ensure early detection of new attacks
β Eliminate alert fatigue
β Achieve a 3x performance boost
Who should join?
SOC leaders, security managers, CISOs, and analysts of all tiers looking to improve the security posture.
π― Register and bring your team
β€6π₯1π1
Top 10 last week's threats by uploads π
β¬οΈ #Xworm 1042 (1044)
β¬οΈ #Quasar 413 (371)
β¬οΈ #Asyncrat 383 (393)
β¬οΈ #Lumma 370 (479)
β¬οΈ #Vidar 316 (370)
β¬οΈ #Stealc 251 (282)
β¬οΈ #Remcos 249 (314)
β¬οΈ #Snake 174 (148)
β¬οΈ #Agenttesla 170 (192)
β¬οΈ #Guloader 168 (176)
π Explore malware in action
#Top10Malware
β¬οΈ #Xworm 1042 (1044)
β¬οΈ #Quasar 413 (371)
β¬οΈ #Asyncrat 383 (393)
β¬οΈ #Lumma 370 (479)
β¬οΈ #Vidar 316 (370)
β¬οΈ #Stealc 251 (282)
β¬οΈ #Remcos 249 (314)
β¬οΈ #Snake 174 (148)
β¬οΈ #Agenttesla 170 (192)
β¬οΈ #Guloader 168 (176)
π Explore malware in action
#Top10Malware
πΎ6β€1π₯1
π¨ Attackers abuse LOLBin to execute payloads without triggering alerts. The real challenge for SOC teams is spotting this behavior early before it escalates into a full incident.
πΎ See rundll32 abuse delivering Gh0stRAT exposed in real time.
π Read the report to learn how to spot LOLBin abuse techniques with interactive analysis.
πΎ See rundll32 abuse delivering Gh0stRAT exposed in real time.
π Read the report to learn how to spot LOLBin abuse techniques with interactive analysis.
β€5π2πΎ1
π’ Live tomorrow! Join us to discover 3 actionable steps that help SOC teams reduce MTTR and improve security posture.
In this session, #ANYRUN experts will walk you through how to:
β Reduce MTTR by 21 minutes per incident
β Ensure early detection of new attacks
β Eliminate alert fatigue
β Achieve a 3x performance boost
Who should join?
SOC leaders, security managers, CISOs, and analysts of all tiers looking to improve the security posture.
π― Register and bring your team
In this session, #ANYRUN experts will walk you through how to:
β Reduce MTTR by 21 minutes per incident
β Ensure early detection of new attacks
β Eliminate alert fatigue
β Achieve a 3x performance boost
Who should join?
SOC leaders, security managers, CISOs, and analysts of all tiers looking to improve the security posture.
π― Register and bring your team
β€8π₯1π1
β οΈ DoubleTrouble is an Android banking trojan leveling up mobile cybercrime with dual-stage attacks.
It uses MFA interception and modular spyware to target European users.
π See how it works and learn how to detect & stop it
It uses MFA interception and modular spyware to target European users.
π See how it works and learn how to detect & stop it
β€6π€―1πΎ1
Phishing activity in the past 7 days π
π Track latest phishing threats in TI Lookup
#TopPhishingThreats
π Track latest phishing threats in TI Lookup
#TopPhishingThreats
π₯6β€1πΎ1
π¨ Our new TI Report outlines cross-platform threats that SOCs should track right now:
πΉ BTMOB RAT abuses Accessibility Services to target banking apps
πΉ PDFChampions is delivered through malvertising, a highly effective initial infection vector
πΉ Efimer combines phishing and WordPress exploits to steal credentials
π¨βπ» Read the report, gather IOCs, and see how #ANYRUN helped detect and analyze these threats with deep visibility and unique threat intelligence
πΉ BTMOB RAT abuses Accessibility Services to target banking apps
πΉ PDFChampions is delivered through malvertising, a highly effective initial infection vector
πΉ Efimer combines phishing and WordPress exploits to steal credentials
π¨βπ» Read the report, gather IOCs, and see how #ANYRUN helped detect and analyze these threats with deep visibility and unique threat intelligence
β€7π₯1πΎ1