🚀 You now can integrate #ANYRUN's Threat Intelligence Feeds via #TAXII protocol.
Learn how you can use this fast and secure way to receive our fresh, uniquely sourced network #IOCs for proactive monitoring and detection ⬇️
https://any.run/cybersecurity-blog/taxii-protocol-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=taxii_protocol_integration&utm_term=120625&utm_content=linktoblog
👾 Octo is an #Android #trojan targeting financial institutions, mobile bank users, and enterprise networks, posing a serious risk to both individuals and organizations.
See analysis and collect #IOCs for proactive detection: https://any.run/malware-trends/octo/?utm_source=mastodon&utm_medium=post&utm_campaign=octo_overview&utm_content=tracker&utm_term=120625
🎯 Threat Intelligence Feeds play a major role in #SOC performance.
🔍 Find out how #ANYRUN's feeds, offering fresh #IOCs from threats across 15k businesses, can level up your ability to monitor, detect, and mitigate incidents.
https://any.run/cybersecurity-blog/threat-intelligence-feeds-for-better-soc-performance/?utm_source=mastodon&utm_medium=post&utm_campaign=ti_feeds_for_soc&utm_term=110625&utm_content=linktoblog
Did you know that ticura offers cybersecurity professionals a free guest account, giving you a single pane of glass into nearly 1,000 free Threat Intelligence sources?
As a guest user, you can:
- Search for IOCs: Look up Indicators of Compromise (IOCs) and access detailed information, including when they were first detected, which sources still consider them relevant, and the industries most affected.
- Related Vulnerabilities (hat tip to CIRCL (Computer Incident Response Center Luxembourg), MITRE, and more: Instantly gain insights such as related vulnerabilities, MITRE ATT&CK mappings, threat names, affected industries, and more.
- AI Reports: Even with a free account, you receive daily credits to use our AI EXPLAIN feature, which generates clear summary and detailed reports based on converged Threat Intelligence—making it easy to understand and act.
Curious? Sign up for a free account and explore:
https://app.ticura.io
#Cybersecurity #ThreatIntelligence #IOCs #MITREATTACK #AI #ticura #Vulnerabilities
👨💻 #ANYRUN's Threat Intelligence Feeds include #IOCs, IOBs, and IOAs from the latest attacks on 15,000 organizations.
🔍 Discover how integrating them can improve threat detection and help your business meet key security KPIs: https://any.run/cybersecurity-blog/reduce-mttd-with-ti-feeds/?utm_source=mastodon&utm_medium=post&utm_campaign=SOC_KPIs_feeds&utm_content=linktoblog&utm_term=040625
👾 #SVCStealer is an #infostealer written in C++ that emerged this January.
It targets victims' credentials, credit card details, and crypto wallet data.
👨💻 Collect #IOCs & see analysis sessions: https://any.run/malware-trends/svcstealer/?utm_source=discord&utm_medium=post&utm_campaign=SVCStealer&utm_content=tracker&utm_term=020625
🚨 Top 20 #phishing domain zones in active use.
Threat actors use phishing domains across the full spectrum of #TLDs to target both organizations and individuals.
📊 According to recent analyses, the following zones stand out:
.es, .sbs, .dev, .cfd, .ru frequently seen in fake logins and documents, delivery scams, and credential harvesting.
.es: https://app.any.run/tasks/156afa86-b122-425e-be24-a1b4acf028f3/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
.sbs: https://app.any.run/tasks/0aa37622-3786-42fd-8760-c7ee6f0d2968/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
.cfd: https://app.any.run/tasks/fccbb6f2-cb99-4560-9279-9c0d49001e4a/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
.ru: https://app.any.run/tasks/443c77a8-6fc9-468f-b860-42b8688b442c/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
⚠️ .li is ranked #1 by malicious ratio, with 57% of observed domains flagged. While many of them don’t host phishing payloads directly, .li is frequently used as a redirector. It points victims to #malicious landing pages, fake login forms, or #malware downloads. This makes it an integral part of phishing chains that are often overlooked in detection pipelines.
See analysis sessions:
🔹 https://app.any.run/tasks/7c8817ed-0015-4aca-aebf-67a42bede434/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
🔹 https://app.any.run/tasks/dba022ab-f4d0-4fcc-b898-0f35a383804e/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
🔹 https://app.any.run/tasks/71edb06f-0900-45c1-a6be-27ab90eb0852/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
📌 Budget TLDs like .sbs, .cfd, and .icu are cheap and easy to register, making them a common choice for phishing. Their low cost enables mass registration of disposable domains by threat actors. #ANYRUN Sandbox allows SOC teams to analyze suspicious domains and extract #IOCs in real time, helping improve detection and threat intelligence workflows.
.icu: https://app.any.run/tasks/2b90d34b-0141-41aa-a612-fe68546da75e/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
🚨 By contrast, domains like .dev are often abused via temporary hosting platforms such as pages[.]dev and workers[.]dev. These services make it easy to deploy phishing sites that appear trustworthy, especially to non-technical users.
See analysis sessions:
🔹 https://app.any.run/tasks/eb6e8714-7974-40ac-8418-0612270a74c3/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
🔹 https://app.any.run/browses/01e39686-bb52-4db3-a0c0-dcec41bb2613/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds&utm_content=linktoservice&utm_term=280525
Use #ANYRUN to safely detonate phishing URLs, uncover redirect logic, and observe malicious behavior in a controlled environment 👨💻
🎁 Explore #ANYRUN's Birthday offers: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=phish_tlds_bd25&utm_term=280525&utm_content=linktopricing/
Command-and-control IPv4 map, 2025-05-14 to 2025-05-27 #IOCs
https://abjuri5t.github.io/SarlackLab/
38.128.0[.]0/9
124.220.0[.]0/14
1.94.0[.]0/15
43.136.0[.]0/13
176.65.140[.]0/23
47.92.0[.]0/14
196.251.116[.]0/23
13.48.0[.]0/12
106.52.0[.]0/14
39.104.0[.]0/14
111.229.0[.]0/16
👾 Octo is an Android #trojan targeting mobile bank users and financial institutions
It steals credentials, takes screenshots, and collects messages
Learn more & gather #IOCs
🔗 https://any.run/malware-trends/Octo/?utm_source=mastodon&utm_medium=post&utm_campaign=octo&utm_content=linktotracker&utm_term=190525
👾 #VanHelsing #ransomware emerged this March but has already proven dangerous and tricky as a scalable multiplatform #RaaS targeting critical industries and infrastructure.
➡️ Learn more & collect #IOCs for proactive detection: https://any.run/malware-trends/VanHelsing/?utm_source=mastodon&utm_medium=post&utm_campaign=vanhelsing&utm_content=tracker&utm_term=120525
🚨 #Diamorphine rootkit deploys crypto miner on #Linux
⚠️ A forked script is used to stealthily deploy a cryptocurrency #miner, disguised as a Python file. Diamorphine intercepts system calls and hides its presence. Let’s take a closer look at this threat’s behavior using #ANYRUN’s Linux VM, which provides full visibility into process activity and persistence mechanisms.
The attack #script capabilities:
🔹 Propagating from the compromised host to other systems, including stealing SSH keys to move laterally
🔹 Privilege escalation
🔹 Installing required dependencies
🔹 Establishing persistence via #systemd
🔹 Terminating rival cryptocurrency miners
🔹 Establishing a three‑layer self‑defense stack:
– Replacing the ps utility
– Installing the Diamorphine #rootkit
– Loading a library that intercepts system calls
❗️ Both the rootkit and the miner are built from open‑source code obtained on #GitHub, highlighting the ongoing abuse of publicly available tooling in Linux threats.
👨💻 See Linux analysis session and collect #IOCs: https://app.any.run/tasks/a750fe79-9565-449d-afa3-7e523f84c6ad/?utm_source=mastodon&utm_medium=post&utm_campaign=diamorphine&utm_term=070525&utm_content=linktoservice
🔍 Use this TI Lookup query to find fresh samples and enhance your organization's security response: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=diamorphine&utm_content=linktotilookup&utm_term=070525#%7B%2522query%2522:%2522commandLine:%255C%2522Diamorphine.ko%255C%2522%2522,%2522dateRange%2522:180%7D%20
Analyze and investigate the latest #malware and phishing threats with #ANYRUN 🚀
👾 Chaos is a #RaaS that also acts as a #wiper, RAT, or even #DDoS botnet.
🎯 It targets both large companies across different industries and SMEs with weak #cybersecurity posture.
👉 Learn more & collect #IOCs: https://any.run/malware-trends/chaos/?utm_source=mastodon&utm_medium=post&utm_campaign=chaos&utm_content=linktomtt&utm_term=050525
🚨 Hunting #SheByte PhaaS Platform: The LabHost Successor
🎯 This #PhaaS targets major banks in Canada and USA, including Interac, delivery services, telecom, toll roads. It also extends to Coinbase, popular email providers like Yahoo, Gmail, and Outlook, and impersonates brands such as Bell, Apple, and Amazon.
Following the #LabHost takedown in early 2024, SheByte operators are working to fill the gap by promoting their platform via Telegram and releasing major updates:
🔹 Geofiltering: prevents access to the phishing page from outside the targeted regions.
🔹 Connection Type Filtering: restricts VPN, hosting, mobile.
🔹 Fingerprint Detection: detects bots and sandboxes.
🔹 Enhanced Control of Page Flow: enables real-time control over the victim’s interaction flow.
🔹 V2 Page Builder: phishing page builder that mimics legitimate sites, adds custom data-stealing forms, and requires no coding skills.
🔗 Execution chain:
Phishing link ➡️ Fake bank login page ➡️ Credential harvesting ➡️ OTP interception ➡️ Security question capture ➡️ Redirect to legitimate bank site
👨💻 With #ANYRUN Sandbox, analysts can explore the phishing kit functionality available through the phishkit's admin panel: https://app.any.run/tasks/56ddc9be-3d32-405e-a53b-33b90640602e/?utm_source=mastodon&utm_medium=post&utm_campaign=shebyte&utm_content=linktoservice&utm_term=300425
Explore captured and detonated phishing site samples, most likely created using the SheByte phishing builder:
https://app.any.run/tasks/2b23cac6-fe32-4ac8-8f60-1a4758eaf711/?utm_source=mastodon&utm_medium=post&utm_campaign=shebyte&utm_content=linktoservice&utm_term=300425
https://app.any.run/tasks/6aacde46-d7e8-47a1-b2bf-606137c46bd8/?utm_source=mastodon&utm_medium=post&utm_campaign=shebyte&utm_content=linktoservice&utm_term=300425
https://app.any.run/tasks/d39f8b11-b228-4a52-9c4e-3a07fb745f26/?utm_source=mastodon&utm_medium=post&utm_campaign=shebyte&utm_content=linktoservice&utm_term=300425
🔍 These #phishkits often include data collection forms. Victims are tricked into entering sensitive information, which is sent directly to the attacker. This behavior can be used as a hunting pivot:
🔹 /file/db_connect<digits?>.php + request body parameters: name=
🔹 /t3chboiguru<digits?>.php + request body parameters: usr= psd=
📌 Indicators and patterns for hunting SheByte-related infrastructure:
CSS file hashes:
🔹 SHA256: 58d0a27afc6ed22f356c907579f15f41f120c913c118837dba9c1b8da13a5a4f
🔹SHA256: bc054fd38e88a7c9c1db08bd40dfe7ad366fa23efdce184e372d2adb431c91d2
Reverse DNS reused across multiple phishing-related domains:
🔹 my1[.]bode-panda[.]shop
Favicon of FIRST Bank loaded from a non-legitimate domain:
🔹 SHA256: 6e18a721d5559f569e5a6585bb6430c1965788e4607ea6704601872de8168811
🔹 Legitimate domain: bankatfirst[.]com
A URL request chain with a low number of HTTP requests in the session:
🔹 /personal.html
🔹 /otp.html
🔹 /c.html
#IOCs:
172[.]93[.]121[.]9
162.241[.]71.139
172.93[.]120.134
santosjjax[.]com
ghreo[.]net
cractil[.]net
sitygma[.]net
👨💻 SheByte Admin Dashboards:
www[.]lillliiilllliiiiilliilllllllliiii[.]site
jonathanserhan[.]shebyte[.]io
Analyze and investigate the latest #malware and phishing threats with #ANYRUN 🚀
🚨 Fingerprinted & Matched: How #Tycoon2FA Phishing Chooses Its Victims
⚠️ This #phishing technique uses system fingerprinting and geolocation to selectively deliver malicious content. In this case, the phishing page loads only for victims in Argentina, Brazil, and Middle East, as observed during analysis in #ANYRUN Sandbox.
🔗 Execution chain:
HTML ➡️ Hidden IMG ➡️ data-digest ➡️ OnError ➡️ B64 decode ➡️ 𝗙𝗶𝗻𝗴𝗲𝗿𝗽𝗿𝗶𝗻𝘁 🚨 ➡️ POST ➡️ Geolocation match ➡️ Conditional redirect (non-matching users sent to Tesla or Emirates) ➡️ Tycoon2FA
Here’s how it works:
1️⃣ New domains registered via “Squarespace Domains” and hosted on ASN “AS-CHOOPA”.
2️⃣ When visited, these domains immediately forward the user to well-known sites like Tesla, Emirates or SpaceX.
Analysis: https://app.any.run/browses/d9b4ca48-5226-43c1-8232-40d51d37ec8e/?utm_source=mastodon&utm_medium=post&utm_campaign=fingerprinting&utm_term=230425&utm_content=linktoservice
❗️ Right before a redirect, a hidden “img” tag is injected.
Because the image doesn't exist, the onerror event is triggered:
onerror="(new Function(atob(this.dataset.digest)))();"
⚠️ Finally, an invisible form sends the collected to the server data via POST.
If your fingerprint matches:
– UTC-3 (🇦🇷 Argentina, 🇧🇷 Brazil)
– UTC+2 to +4 (🇦🇪 UAE, etc.)
🐟 The server responds with a Location header pointing to the phishing page: hxxps://zkw[.]idrvlqvkov[.]es/dGeaU/
👨💻 #ANYRUN Interactive Sandbox allows analysts to investigate geo-targeted phishing wherever they are: just set a locale and use a residential proxy to trigger and quickly analyze the threat.
#IOCs:
45[.]76[.]251[.]81
155[.]138[.]224[.]49
coldsekin[.]com
kempiox[.]com
kempigd[.]com
ladipscsxc[.]co[.]uk
lopocip[.]com
munkepsx[.]com
stealmarkso[.]com
klassipon[.]com
thartbenx[.]com
alixation[.]co[.]uk
taramikia[.]com
Analyze the latest #malware and phishing threats with #ANYRUN 🚀
I've shared content from these accounts before, but I thought it would be good to put all of them in one place. If you want to stay up to date on #IOCs from different kinds of botnets and C2 infrastructure, follow these accounts.
👾 SpyNote is an Android RAT that targets mobile banking and crypto users in EU. It exfiltrates valuable data, logs keystrokes, and steals app credentials.
Learn more & collect #IOCs: https://any.run/malware-trends/spynote/?utm_source=mastodon&utm_medium=post&utm_campaign=spynote&utm_content=tracker&utm_term=210425
🚨 New #ClickFix scam targets US users with fake MS Defender and CloudFlare pages.
⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.
🎯 The #phishing page loads only for US-based victims, as observed during analysis with a residential IP in #ANYRUN Sandbox.
👨💻 Analysis session: https://app.any.run/browses/50395c46-41f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice
📍 URL: iaccindia[.]com
The page hijacks the full-screen mode and displays a fake “Windows Defender Security Center” popup.
🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user.
Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation.
🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a #malicious Run command.
Take a look: https://app.any.run/tasks/e83a5861-6006-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice
#IOCs:
supermedicalhospital[.]com
adflowtube[.]com
knowhouze[.]com
ecomicrolab[.]com
javascripterhub[.]com
virtual[.]urban-orthodontics[.]com
Streamline threat analysis for your SOC with #ANYRUN 🚀
#ExploreWithANYRUN
Command-and-control domain tree, 2025-04-01 to 2025-04-14 #IOCs
https://abjuri5t.github.io/SarlackLab/
☣️ Interlock #ransomware is targeting healthcare, education, and government via #phishing, exploits, & IABs. It engages in double extortion and impacts both Windows & Linux systems.
Learn more & collect #IOCs: https://any.run/malware-trends/interlock/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=140425
This is scary. Make sure you get the #IOCs and update your #security platforms to protect against this dangerous #RAT: https://www.cyfirma.com/research/neptune-rat-an-advanced-windows-rat-with-system-destruction-capabilities-and-password-exfiltration-from-270-applications/
