ANY.RUN

⚠️ #JSGuLdr is a multi-stage JavaScript-to-PowerShell loader delivering #PhantomStealer. It uses obfuscation, COM execution, and in-memory loading to minimize on-disk exposure. See the analysis of this month’s threats and detection takeaways for SOC teams: https://lnkd.in/epuZy4AE

🚨 Expose Evasion Tricks in Linux Malware. Many #Linux botnets and cryptominers hide by replacing system utilities like ps, ls, or netstat. This allows attackers to control what the system reports and conceal malicious activity. ⚠️ Two core techniques make infected systems look clean while attackers remain persistent and unnoticed: 1️⃣ Proxy replacement The original utility is renamed and moved to another directory, and a malicious proxy takes its place. When the user runs the expected command, the proxy forwards the request to the real binary but filters the output, hiding malicious processes, files, or network activity. As a result, SOC teams reviewing system output may see no signs of compromise at all. 2️⃣ Full replacement Attackers delete the original utility and replace it with a version that fully imitates its functionality. Since tools like ps, ls, or netstat read directly from filesystem data, they are easy to clone. The malicious version returns normal output while hiding any traces of the botnet or miner. ❗️ Such techniques create blind spots in Linux environments and visibility gaps attackers can exploit, allowing threats to operate undetected and increasing the risk of deeper compromise for organizations. 👨💻 See the analysis of the #Kaiji botnet using full replacement to stay hidden: https://lnkd.in/euJ9wFBh 🎯 TTPs: Create or Modify System Process (T1543): Replaces legitimate system utilities with modified versions. Indicator Blocking (T1054): Filters output to block indicators. Masquerading (T1036): Disguises malicious binaries as system utilities. ⚡ Gain fast detection and full visibility into threats across Windows, Linux, and Android with #ANYRUN. Sign up: https://lnkd.in/edqCuWiF #ExploreWithANYRUN

⚠️ #XWorm in PNG files, #JSGuLdr’s three-stage loader, Linux #ransomware, Android RATs; November was packed with multi-layered attacks. See the full analysis of the month’s major threats and key detection takeaways for SOC teams: https://lnkd.in/eu3RWtFn

🏥 More clients meant more pressure for this healthcare MSSP: slow MTTR, manual checks, and constant escalations. #ANYRUN helped them shift to proactive defense with real-time visibility and reliable context for faster decisions.   But don’t just take our word for it. Hear directly from the SOC leader and see the measurable outcomes 👇

SOC Leader’s Playbook: 3 Steps to Faster MTTR

🚩 When you deal with hundreds of alerts, how do you spot the ONE that matters? We broke down how threat intelligence turns 15-min investigations into 30-second decisions thanks to actionable context. 👨💻 See how you can use it: https://lnkd.in/eaHaW5jm

🎣 Manual #phishing analysis slows teams down. #ANYRUN's Sandbox turns a 15-minute workflow into a 60-second analysis, giving SOCs up to 3x higher investigation throughput. 👨💻 Expose phishing and malware attacks, full threat behavior, IOCs, and context inside a safe virtual environment. Try now for your team: https://lnkd.in/e9tmfG_7 Read our blog post to see how 15 minutes become 60 seconds: https://lnkd.in/eRQ-ZvRk

🚨 Our latest TI Report outlines cross-platform threats that SOCs should track right now. Key takeaways: 🔹 #BTMOB RAT abuses Accessibility Services to target banking apps 🔹 #PDFChampions is delivered through malvertising, a highly effective initial infection vector 🔹 #Efimer combines phishing and WordPress exploits to steal credentials Each threat introduces new challenges for detection and shows why deep visibility and rich threat intelligence are critical. 👨💻 Read the report, gather #IOCs & TTPs, and see how #ANYRUN helped detect and analyze these threats: https://lnkd.in/e7tn-YAS

Phishing activity in the past 7 days 🐟 Track latest #phishing threats in TI Lookup: https://lnkd.in/dieYsgcX #TopPhishingThreats

⚠️ #DoubleTrouble is an Android banking trojan leveling up mobile cybercrime with dual-stage attacks. It uses MFA interception and modular spyware to target European users. 👨💻 Here’s how it works and how to detect & stop it: https://lnkd.in/egSCFEq6