πΎ 73% of attacks start with phishing, yet SOC teams often miss early signs. IOC enrichment helps detect them earlier and refine detection rules.
π See how context-rich data strengthens proactive defense.
π See how context-rich data strengthens proactive defense.
π₯6β€2πΎ2
Which artifact is hardest to investigate without context?
Anonymous Poll
19%
Domains & URLs
46%
File hashes
19%
IP addresses
38%
TTPs
β€6π¨βπ»2πΎ2
Top 10 last week's threats by uploads π
β¬οΈ #Lumma 969 (726)
β¬οΈ #Quasar 399 (381)
β¬οΈ #Amadey 382 (192)
β¬οΈ #Redline 376 (179)
β¬οΈ #Vidar 365 (275)
β¬οΈ #Agenttesla 291 (336)
β¬οΈ #Remcos 274 (262)
β¬οΈ #Xworm 261 (515)
β¬οΈ #Dcrat 245 (209)
β¬οΈ #Stealc 233 (224)
π Track them all.
#Top10Malware
β¬οΈ #Lumma 969 (726)
β¬οΈ #Quasar 399 (381)
β¬οΈ #Amadey 382 (192)
β¬οΈ #Redline 376 (179)
β¬οΈ #Vidar 365 (275)
β¬οΈ #Agenttesla 291 (336)
β¬οΈ #Remcos 274 (262)
β¬οΈ #Xworm 261 (515)
β¬οΈ #Dcrat 245 (209)
β¬οΈ #Stealc 233 (224)
π Track them all.
#Top10Malware
π₯5β€3πΎ2
π¨ How prepared is your SOC for evasive malware?
Get practical tips in our live technical #webinar on September 17.
Our experts will break down real cases β from #phishing kits and #ClickFix to Living-Off-the-Land attacks β and share detection methods teams can apply right away.
π Save your spot.
Get practical tips in our live technical #webinar on September 17.
Our experts will break down real cases β from #phishing kits and #ClickFix to Living-Off-the-Land attacks β and share detection methods teams can apply right away.
π Save your spot.
β€6π₯3π1
π¨ BTMOB RAT is rewriting mobile cybersecurity rules in 2025!
This $5K Android malware weaponizes accessibility features for live screen control, banking overlay attacks, and crypto theft.
π Learn its spread, impact & defense.
This $5K Android malware weaponizes accessibility features for live screen control, banking overlay attacks, and crypto theft.
π Learn its spread, impact & defense.
β€8πΎ3π1
π Phishing activity in the past 7 days.
Track latest phishing threats in TI Lookup, now available for free.
Track latest phishing threats in TI Lookup, now available for free.
β€5πΎ2π±1
π #ANYRUN now integrates with Cortex XSOAR from Palo Alto Networks.
Solve alert fatigue, missed incidents, and slow response with automated sandbox analysis and fresh threat intelligence.
π Simplify workflows, boost defense.
Solve alert fatigue, missed incidents, and slow response with automated sandbox analysis and fresh threat intelligence.
π Simplify workflows, boost defense.
π5β€2π1πΎ1
π¨ Malicious SVG Leads to Microsoft-Themed PhishKit.
We observed a phishing campaign that began with testing activity on September 10 and scaled into full spam activity by September 15.
β οΈ A legitimate domain was abused to host a malicious SVG disguised as a PDF. Attackers hide redirects and scripts inside images to bypass controls and social-engineer users into phishing flows.
π― This case shows a structured infrastructure similar to a PhaaS framework, showing how attackers rely on robust, scalable models for mass credential harvesting, now a standard across the phishing ecosystem.
For enterprises, the risks are blind spots in monitoring, delayed detection and response, and an increased risk of credential theft or data breach.
π¨βπ» When opened in a browser, the SVG displays a fake βprotected documentβ message and redirects the user through several phish domains. The chain includes Microsoft-themed lures such as:
πΉ loginmicrosft365[.]powerappsportals[.]com
πΉ loginmicr0sft0nlineofy[.]52632651246148569845521065[.]cc
βοΈ The final phishing page mimics a Microsoft login and uses a Cloudflare Turnstile widget to appear legitimate.
Unlike standard image formats, SVG is an XML-based document that can embed malicious JavaScript or hidden links. Here, the redirect was triggered by a script acting as an XOR decoder, which rebuilt and executed the redirect code via eval.
π― For SOC analysts, being able to trace every redirect step and uncover hidden payloads is critical to investigating phishing campaigns. See execution on a live system and collect IOCs.
For CISOs, the critical takeaway is that attackers exploit trusted platforms and brand impersonation to bypass defenses, directly threatening business resilience and user trust.
π Use these TI Lookup search queries to expand visibility and enrich #IOCs with actionable threat context.
Suspicious SVG downloads:
πΉ commandLine:"Downloads\\*.svg"
Microsoft-themed phishing domains:
πΉ domainName:"microsoft.*.*"
πΉ domainName:"^loginmicr?sft*.cc$"
IOCs:
Revised _payment_and_Benefitschart.pdf______-.svg
A7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892
Strengthen resilience and protect critical assets through proactive security with #ANYRUN π #ExploreWithANYRUN
We observed a phishing campaign that began with testing activity on September 10 and scaled into full spam activity by September 15.
β οΈ A legitimate domain was abused to host a malicious SVG disguised as a PDF. Attackers hide redirects and scripts inside images to bypass controls and social-engineer users into phishing flows.
π― This case shows a structured infrastructure similar to a PhaaS framework, showing how attackers rely on robust, scalable models for mass credential harvesting, now a standard across the phishing ecosystem.
For enterprises, the risks are blind spots in monitoring, delayed detection and response, and an increased risk of credential theft or data breach.
π¨βπ» When opened in a browser, the SVG displays a fake βprotected documentβ message and redirects the user through several phish domains. The chain includes Microsoft-themed lures such as:
πΉ loginmicrosft365[.]powerappsportals[.]com
πΉ loginmicr0sft0nlineofy[.]52632651246148569845521065[.]cc
βοΈ The final phishing page mimics a Microsoft login and uses a Cloudflare Turnstile widget to appear legitimate.
Unlike standard image formats, SVG is an XML-based document that can embed malicious JavaScript or hidden links. Here, the redirect was triggered by a script acting as an XOR decoder, which rebuilt and executed the redirect code via eval.
π― For SOC analysts, being able to trace every redirect step and uncover hidden payloads is critical to investigating phishing campaigns. See execution on a live system and collect IOCs.
For CISOs, the critical takeaway is that attackers exploit trusted platforms and brand impersonation to bypass defenses, directly threatening business resilience and user trust.
π Use these TI Lookup search queries to expand visibility and enrich #IOCs with actionable threat context.
Suspicious SVG downloads:
πΉ commandLine:"Downloads\\*.svg"
Microsoft-themed phishing domains:
πΉ domainName:"microsoft.*.*"
πΉ domainName:"^loginmicr?sft*.cc$"
IOCs:
Revised _payment_and_Benefitschart.pdf______-.svg
A7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892
Strengthen resilience and protect critical assets through proactive security with #ANYRUN π #ExploreWithANYRUN
β€7π₯3πΎ2
β Cutting response times is not rocket science.
It requires clear steps that every SOC can take to achieve faster MTTR.
π See how your team can become more efficient.
It requires clear steps that every SOC can take to achieve faster MTTR.
π See how your team can become more efficient.
β€9π2π―2
π Can your team spot evasive attacks in real time?
See phishing kits, ClickFix & LotL cases broken down by #ANYRUN experts.
π¨ Only 3 hours left!
Learn how to expand visibility, reduce workload, and improve detection & response.
π Save your spot.
See phishing kits, ClickFix & LotL cases broken down by #ANYRUN experts.
π¨ Only 3 hours left!
Learn how to expand visibility, reduce workload, and improve detection & response.
π Save your spot.
β€6π₯5πΎ1
βIs your SOC still reacting to threats instead of anticipating them?
With #ANYRUNβs TI Lookup and TI Feeds, your team gains fast, reliable intelligence to act proactively, cut response time, and reduce blind spots.
π Read our guide for CISOs.
With #ANYRUNβs TI Lookup and TI Feeds, your team gains fast, reliable intelligence to act proactively, cut response time, and reduce blind spots.
π Read our guide for CISOs.
β€4π₯4π1
Are blind spots slowing you down?
TI Lookup gives your team rich threat intel to cut MTTR and enrich proactive defense β‘οΈ
Expand visibility with 24x more IOCs powered by data from 15K+ SOCs worldwide. Sign up for ANY.RUN.
TI Lookup gives your team rich threat intel to cut MTTR and enrich proactive defense β‘οΈ
Expand visibility with 24x more IOCs powered by data from 15K+ SOCs worldwide. Sign up for ANY.RUN.
β€6π3π1
β‘οΈ SOC efficiency proven in numbers:
+62.7% more threats detected, MTTR cut to 21 min per case, and 30% fewer escalations.
#ANYRUN unifies workflows so analysts act faster, resolve incidents confidently, and scale without extra hires.
π Learn how to transform your SOC.
+62.7% more threats detected, MTTR cut to 21 min per case, and 30% fewer escalations.
#ANYRUN unifies workflows so analysts act faster, resolve incidents confidently, and scale without extra hires.
π Learn how to transform your SOC.
β€5π₯3π1
π¨ Apple-Themed Phishing Rises with iPhone Launch.
β οΈ Every high-profile release creates new phishing waves. Apple-themed phishing lures now range from fake pre-order offers to security alerts about Apple ID and iCloud accounts.
The outcome is predictable: victims hand over personal data and linked payment details. For companies the risk goes beyond personal data, as compromised accounts can expose synced corporate files.
Protecting business continuity requires monitoring and detecting brand impersonation before it affects employees and corporate resilience.
Letβs explore two recent cases.
1οΈβ£ Phishing page imitating Appleβs Find Devices service.
Victims were asked to enter a 6-digit code (any value was accepted), then Apple ID credentials, which were exfiltrated via HTTP requests. The page combined legitimate iCloud CSS styles with #malicious scripts that capture and send credentials.
π¨βπ» View the execution chain on a live system.
2οΈβ£ Phishing page mimicking Appleβs iCloud infrastructure.
The page used multiple subdomains to mimic Appleβs structure and appear legitimate: ^gateway.*, ^feedbackws.*, and more.
π¨βπ» See analysis and collect IOCs.
π Use these TI Lookup queries to uncover similar phishing domains and enrich #IOCs with actionable threat context:
πΉ iCloud lookalike infrastructure: domainName:"^feedbackws." AND NOT domainName:"icloud.com$" AND NOT domainName:"apple.com$"
πΉ Apple favicon abuse outside legitimate domains: sha256:"2ee7ca9b189df54d7ccdd064d75d0143a8229bae9bdb69f37105e59f433c0a8b" AND NOT domainName:"icloud.com$" AND NOT domainName:"apple.com$"
π IOCs:
Domains:
myapple[.]appbuscarlocal[.]xyz
nasdemgarut[.]org
udp-aleppo[.]org
Official Apple favicon to hunt site mismatch (SHA256): 2ee7ca9b189df54d7ccdd064d75d0143a8229bae9bdb69f37105e59f433c0a8b
URLs:
hxxps[://]myapple[.]appbuscarlocal[.]xyz/help?wmg
hxxps[://]myapple[.]appbuscarlocal[.]xyz/verify[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/sign[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/script/map_find_devices_login_passcode6/signin[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/help/input
*/script/icloud2024/
π Expand threat visibility, strengthen defenses, and uncover hidden attack flows with #ANYRUN to protect users and ensure business continuity. #ExploreWithANYRUN
β οΈ Every high-profile release creates new phishing waves. Apple-themed phishing lures now range from fake pre-order offers to security alerts about Apple ID and iCloud accounts.
The outcome is predictable: victims hand over personal data and linked payment details. For companies the risk goes beyond personal data, as compromised accounts can expose synced corporate files.
Protecting business continuity requires monitoring and detecting brand impersonation before it affects employees and corporate resilience.
Letβs explore two recent cases.
1οΈβ£ Phishing page imitating Appleβs Find Devices service.
Victims were asked to enter a 6-digit code (any value was accepted), then Apple ID credentials, which were exfiltrated via HTTP requests. The page combined legitimate iCloud CSS styles with #malicious scripts that capture and send credentials.
π¨βπ» View the execution chain on a live system.
2οΈβ£ Phishing page mimicking Appleβs iCloud infrastructure.
The page used multiple subdomains to mimic Appleβs structure and appear legitimate: ^gateway.*, ^feedbackws.*, and more.
π¨βπ» See analysis and collect IOCs.
π Use these TI Lookup queries to uncover similar phishing domains and enrich #IOCs with actionable threat context:
πΉ iCloud lookalike infrastructure: domainName:"^feedbackws." AND NOT domainName:"icloud.com$" AND NOT domainName:"apple.com$"
πΉ Apple favicon abuse outside legitimate domains: sha256:"2ee7ca9b189df54d7ccdd064d75d0143a8229bae9bdb69f37105e59f433c0a8b" AND NOT domainName:"icloud.com$" AND NOT domainName:"apple.com$"
π IOCs:
Domains:
myapple[.]appbuscarlocal[.]xyz
nasdemgarut[.]org
udp-aleppo[.]org
Official Apple favicon to hunt site mismatch (SHA256): 2ee7ca9b189df54d7ccdd064d75d0143a8229bae9bdb69f37105e59f433c0a8b
URLs:
hxxps[://]myapple[.]appbuscarlocal[.]xyz/help?wmg
hxxps[://]myapple[.]appbuscarlocal[.]xyz/verify[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/sign[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/script/map_find_devices_login_passcode6/signin[.]php
hxxps[://]myapple[.]appbuscarlocal[.]xyz/help/input
*/script/icloud2024/
π Expand threat visibility, strengthen defenses, and uncover hidden attack flows with #ANYRUN to protect users and ensure business continuity. #ExploreWithANYRUN
π₯7πΎ4π2
Top 10 last week's threats by uploads π
β¬οΈ #Lumma 696 (951)
β¬οΈ #Quasar 409 (390)
β¬οΈ #Vidar 406 (355)
β¬οΈ #Agenttesla 387 (285)
β¬οΈ #Remcos 340 (263)
β¬οΈ #Amadey 302 (372)
β¬οΈ #Dcrat 285 (238)
β¬οΈ #Stealc 285 (226)
β¬οΈ #Njrat 277 (205)
β¬οΈ #Xworm 240 (254)
π Track them all.
#Top10Malware
β¬οΈ #Lumma 696 (951)
β¬οΈ #Quasar 409 (390)
β¬οΈ #Vidar 406 (355)
β¬οΈ #Agenttesla 387 (285)
β¬οΈ #Remcos 340 (263)
β¬οΈ #Amadey 302 (372)
β¬οΈ #Dcrat 285 (238)
β¬οΈ #Stealc 285 (226)
β¬οΈ #Njrat 277 (205)
β¬οΈ #Xworm 240 (254)
π Track them all.
#Top10Malware
πΎ5β€2π₯2