Have you tried our new Tier 1 Reports yet?
▲ 3 r/ANYRUN

Have you tried our new Tier 1 Reports yet?

We recently introduced Tier 1 Reports in the Interactive Sandbox to help with faster triage, escalations, and incident reporting.

If you've had a chance to use them, we'd really like to hear your honest feedback.

  • Has the report been useful during triage or escalations?
  • Is there anything you'd add, remove, or change?

If you haven't had a chance to try Tier 1 Reports yet, you can learn more about them here: https://any.run/cybersecurity-blog/soc-ready-reporting/

u/ANYRUN-team — 4 hours ago
▲ 2 r/ANYRUN

How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed

200+ vendors were sending files into a US manufacturer’s environment.
The real problem was the lack of context to separate safe supplier files from real threats, driving up investigation costs.

See how the company made MTTD 2x faster and scaled security without adding headcount: https://any.run/cybersecurity-blog/us-manufacturer-security-risk/

https://preview.redd.it/aab6eb0nhtah1.png?width=2048&format=png&auto=webp&s=1b8f790fc8b3ab347c8d767be290ef44ca905d95

reddit.com
u/ANYRUN-team — 4 days ago
▲ 4 r/threatintel+1 crossposts

Kratos PhaaS Surge: Updated Phishing Flow Reduces Triage Signals

More than 100 sandbox sessions linked to Kratos activity were recorded over the last week. The growth is likely driven by an updated phishing flow designed to increase conversion and reduce obvious triage signals. 

Legacy Kratos samples were easier to flag during triage, relying on a static /SOft landing URI and a weak secure-document lure. See the analysis session: https://app.any.run/tasks/397bbd6d-7736-4a5b-b4c7-c15461a62d41/

The updated version now uses common-looking URIs typical of legitimate websites and a more convincing Microsoft credential-harvesting flow. 

ANYRUN Sandbox lets SOC teams confirm the real behavior behind the landing page. In the Browser Data tab, teams can inspect the updated Kratos flow and verify credential exfiltration: the entered emailand password are sent via POST to /next.php using di and pr parameters. 

The first submission triggers an “Incorrect Password” message, pushing the victim to retry. After the second attempt, the victim is redirected to the legitimate office[.]com, making the flow look like a failed loginrather than an obvious phishing dead end. This can delay user reporting, blur triage signals, and increase the risk of missed credential theft. 

See the full attack flow and collect IOCs to improve detection coverage: https://app.any.run/tasks/c0f890de-f36e-4378-84f1-0233b8687942/

A full breakdown of this campaign is coming soon. Stay tuned! 

The campaign is now mainly focused on European targets, with observed activity across manufacturing, technology, and MSSP organizations. 

IOCs: 

1️⃣ Updated Kratos 

Exfil URI: /next.php (di and pr parameters in the request body) 

Domains: 

abbayedesvavxdecernay[.]com  

bettiniexeclpdf[.]com  

bil-spesialisten[.]pro  

cewstepisnoof[.]cc  

echnesg[.]com  

erfolgselster[.]de  

acquelinewhitfield[.]fit  

frankretsch[.]de  

fridolinfrosch[.]de  

hawkfs[.]icu  

kalfs[.]es  

kbpfdbi[.]de  

log-service[.]fr  

midfresh[.]pro  

pabmosprgexcel[.]com  

powdermilnavigation[.]com 

2️⃣ Legacy Kratos 

Landing URI: /SOft 

Exfil URI: /mini.php (email and password in the request body) 

u/ANYRUN-team — 4 days ago
▲ 8 r/ANYRUN

Mispadu: How This Evolving Trojan Drains Bank Accounts and Businesses

What is Mispadu?

Mispadu is a Windows banking trojan that targets online banking credentials, cryptocurrency wallets, and other sensitive financial data. Instead of exploiting software vulnerabilities, it relies on phishing and social engineering, making it a persistent threat to organizations whose employees access financial services online.

Key Takeaways

  • Originally focused on Latin America, its techniques can impact organizations worldwide.
  • It spreads mainly through phishing emails, malicious installers, and social engineering.
  • The malware combines credential theft, browser manipulation, persistence, and anti-analysis techniques.
  • Finance, retail, government, healthcare, manufacturing, and organizations with employees using online banking face elevated risk.
  • Effective defense combines endpoint security, email protection, user awareness, and continuous threat intelligence.

Proactively defend with ANY.RUN’s TI Lookup for instant IOC context and TI Feeds for real-time blocking in your security stack — combined with phishing training and endpoint controls.

Read the full article: https://any.run/malware-trends/mispadu/

u/ANYRUN-team — 6 days ago
▲ 13 r/ANYRUN

New Redirect Framework Turns Legitimate Websites Into Phishing Infrastructure

We’re tracking a surge in activity linked to Bulletproof Redirect Engine, a previously unknown framework that helps attackers manage phishing redirects through compromised legitimate websites.

Since late April, ANYRUN has recorded 170+ public submissions linked to this activity, with observed targets mainly in the US and Europe across manufacturing, consulting, and technology.

Hosted in hidden directories on compromised sites, the framework uses trusted domain names to generate phishing links and redirect users to pages built with known phishkits: Sneaky2FA, Tycoon, EvilTokens, Greatness, and EvilProxy. Based on the observed activity, the tool is likely distributed as a PhaaS.

Reputation-based URL controls are not enough when phishing infrastructure hides behind trusted domains and obfuscated browser logic. This increases the chance of victim interaction and creates a SOC blind spot that may lead to missed compromise.

Attack chains like this are now faster and easier to investigate in ANYRUN Sandbox. In-browser data inspection shows exactly what happens inside the browser, exposing phishing behavior that static URL analysis can miss.

Using the Browser Data tab, we can quickly review requests sent by the redirect page and locate the same activity in the HTML DOM Changes: https://app.any.run/tasks/e728e277-a694-431b-8040-655c473baa22/

The code is heavily obfuscated, so the final phishing page is not directly visible in the DOM. But the HTTP Requests tab still exposes the next-stage redirect to an EvilProxy phishing page impersonating Microsoft sign-in flow. This gives analysts a clear pivot point for detection, investigation, and response.

u/ANYRUN-team — 12 days ago
▲ 2 r/ANYRUN

Are TI feeds more useful for triage, hunting, or detection?

Threat intelligence feeds can support multiple SOC workflows.

In alert triage, they provide context around IOCs and help analysts spend less time on manual lookups. In threat hunting, they serve as fresh leads for proactive investigations. For detection engineering, feeds can enrich SIEM and SOAR platforms and help keep detections up to date.

Where do you see the most value in practice? Which workflow benefits the most from threat intelligence feeds?

Indicators in Threat Intelligence Feeds

reddit.com
u/ANYRUN-team — 17 days ago
▲ 10 r/threatintel+1 crossposts

🚨 What EvilTokens Hides in the Browser: See Beyond Static URL Analysis

EvilTokens remains one of the most active phishkits in our reports, abusing MS Device Code authentication to gain access through OAuth workflows rather than direct credential theft. 

The landing page content is AES-GCM encrypted in the initial HTML response and becomes visible only after client-side decryption writes it into the browser DOM, making static URL analysis and network-only visibility incomplete. 
Review the full phishing flow: https://app.any.run/tasks/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a/

ANYRUN sets a new standard for URL analysis, leaving no blind spots for phishing to exploit. New in-browser data inspection shows exactly what happens inside the browser, exposing every phishing URL’s behavior.  

How to use the Browser Data tab in ANYRUN Sandbox for full URL visibility that speeds up triage and response: 

1️⃣ HTML DOM Changes: Track DOM states over time with timeshift, compare page states, and review byte-level diffs. 

In this case, it reveals when the decrypted phishing page is rendered, exposing the user code and other artifacts hidden in the initial response. 

2️⃣ URL Details: Review the final URL, domain, SSL certificate, DNS records, request statistics, and triggered signatures in one place. 

For device-code phishing, this helps quickly verify suspicious OAuth-related activity without manually correlating multiple data sources. 

3️⃣ HTTP Requests: Inspect browser-level network activity across HTML, JS, Fetch/XHR, scripts, static files, binaries, archives, and other request categories. 

Here, requests to /api/device/start retrieve the userCode and sessionId, while /api/device/status/<sessionId> tracks authorization status, providing early confirmation of the phishing flow. 

4️⃣ Indicators: Automatically collect page-level IOCs, including domains, URLs, hashes, IPs, and ASN data. 

These indicators provide immediate pivot points for threat hunting, helping analysts expand the investigation beyond the original URL. 

This turns URL triage from long manual reconstruction into a fast decision path: what loaded, what changed, and whether the case should be contained, escalated, or turned into detection logic.   

When phishing relies on dynamic browser behavior, this visibility doesn't just speed up triage — it strengthens every downstream process: faster escalations, sharper response, stronger detection logic.  

See how ANYRUN closes phishing blind spots: https://any.run/cybersecurity-blog/in-browser-data-inspection/ 

u/ANYRUN-team — 18 days ago

What's the main challenge of threat hunting in 2026?

Hello guys! Everybody talks about the importance of proactive threat hunting, but in practice it's not that easy. The most common challenges seem to be poor data quality, outdated intelligence, and a lack of time and expertise to hunt effectively.

Based on your experience, what's the biggest challenge in threat hunting?

reddit.com
u/ANYRUN-team — 21 days ago
▲ 5 r/ANYRUN

Intelligence-Driven Threat Hunting: How to Find Hidden Threats

Threat hunting is meant to be proactive, but often feels reactive. Analysts spend time chasing weak signals through noisy logs, querying SIEM data that lacks context, and building detections from technique descriptions that don't easily translate into real-world hunts.

The problem isn't a lack of skill. Most hunting teams know attacker tactics well. The real challenge is the intelligence behind the hunt: it is often outdated, lacks context, or misses the behavioral details needed to create accurate, actionable detections.

Explore how ANY.RUN’s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence: https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/

u/ANYRUN-team — 25 days ago
▲ 2 r/ANYRUN

🚨 Greatness Is Back: Device Code Phishing Targets M365 Accounts

We've identified renewed activity associated with the Greatness PhaaS, which combines AiTM and Device Code Phishing to target Microsoft 365 Accounts. 

Device Code Phishing abuses Microsoft's legitimate device authorization flow to obtain access tokens without directly collecting passwords or MFA codes. This shifts risk from credential theft to token abuse, reducing traditional phishing indicators for SOC teams to detect and investigate. 

Greatness promotes token- and cookie-based access to Microsoft 365 accounts through its Telegram channel, advertising passwordless and code-less account compromise scenarios. 

Observed capabilities include: 

  • Device Code Phishing for M365 token theft  
  • Phishing templates impersonating DocuSign, OneDrive, Outlook, and Voicemail
  • Country-targeted login lures
  • Cloudflare-hosted phishing links 
  • Keyword-based targeting engine 
  • Centralized administration panel

Review the analysis session: https://app.any.run/tasks/dd97835c-8a07-4917-ba23-cb8d8493b174/

Track Device Code Phishing activity associated with Greatness and uncover related infrastructure in ANYRUN TI Lookup: threatName:"greatness" and threatName:"oauth-ms-phish"

IOCs 

Phishing lure: 

Allcompredirectportalshare[.]workers[.]dev 

Supportteammanagements[.]workers[.]dev 

Lindeinvoicexv29dmeocynufgq7[.]s3[.]amazonaws[.]com 

URI: 

/apifiles[.]php?action=get_device_code&user_id= 

/apifiles[.]php?action=poll_token 

https://preview.redd.it/53xorklxdg6h1.png?width=2400&format=png&auto=webp&s=28ec1187090e5e0e1b2676fbb898823cb3e46e79

reddit.com
u/ANYRUN-team — 26 days ago
▲ 2 r/ANYRUN

Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations

In Q1 2026, the most dangerous activity happened inside legitimate user sessions.
The attack surface has moved. Instead of exploiting vulnerabilities, attackers use valid credentials (+14.7%), surveillance (+34.4%) and act through trusted access — turning identity into the new primary control layer and reducing the visibility SOCs depend on.

Insight for CISOs, treat identity as a continuous control, not a checkpoint. Behavior, context, and usage need to be evaluated throughout the session, not just at the door.

Explore other key trends shaping enterprise security in the Cyber Risk Report: https://files.any.run/images/q1_2026_cyber_risk_report_from_anyrun.pdf

https://preview.redd.it/1teq4zn19a6h1.png?width=2400&format=png&auto=webp&s=fe9a39d5fa8029319c8fcc1e992bb602d4bca094

reddit.com
u/ANYRUN-team — 26 days ago
▲ 3 r/ANYRUN

JOMANGY: A Resilient FreePBX Malware Built to Survive Cleanup Attempts

What is JOMANGY?

JOMANGY is a newly documented PHP webshell first described in May 2026. Developed by the financially motivated threat actor INJ3CTOR3, it targets FreePBX-based VoIP phone systems to generate toll fraud revenue.

Why JOMANGY is dangerous:

  • Six self-reinforcing persistence channels make JOMANGY extremely difficult to remove. Any surviving channel can rebuild the full infection within minutes, making partial remediation ineffective.
  • 18 hidden backdoor accounts (nine with root-level privileges) are planted on every infected host, with names designed to mimic legitimate FreePBX system accounts.
  • Double-layer obfuscation (Base64 over ROT13) and active payload rotation give JOMANGY near-zero antivirus detection during initial deployment, reducing the effectiveness of signature-based defenses.
  • Direct financial impact: JOMANGY abuses the victim’s SIP trunks to generate fraudulent call charges that are billed directly to the organization, potentially resulting in losses of tens of thousands of dollars.

How to detect: https://any.run/malware-trends/jomangy/

IP linked to JOMANGY in TI Lookup

reddit.com
u/ANYRUN-team — 27 days ago
▲ 3 r/ANYRUN

🔥 Q1 2026 Cyber Risk report by ANYRUN is out!

Based on 2.1M malware and phishing investigations, it reveals the cyber risks and threat shifts for CISOs to focus on.

Discover top trends shaping the modern threat landscape, including:
+14.7% credential theft
+98.3% loader attacks
+58.4% LOLBAS attacks

Turn Q1 intel into Q2 security priorities. Get the report: https://any.run/cybersecurity-blog/cyber-risk-report-q1-2026/

https://preview.redd.it/0ta24wp1n95h1.png?width=2400&format=png&auto=webp&s=fd2a8efabc6b17ebe5afd54cc4bdb5e588dcef61

reddit.com
u/ANYRUN-team — 1 month ago
▲ 7 r/ANYRUN+1 crossposts

🚨 Fake Claude &amp; Codex Deliver In-Memory Stealer: ClickFix via Google Sites

We’re tracking a ClickFix campaign that mimics popular AI tools, including Codex and Claude, and abuses trusted Google Sites infrastructure to deliver stealer malware.  

With no standalone executable dropped to disk and network activity appearing as legitimate powershell.exe traffic, the attack can significantly reduce visibility during the early stages of compromise. 

Victims are directed to trusted sites[.]google[.]com pages and instructed to execute an mshta command. The attack results in in-memory stealer execution, theft of browser, email, and cryptocurrency wallet data, and outbound communication with attacker-controlled C2 infrastructure, while leaving fewer traditional detection opportunities for SOC teams. 

Execution chain: 
Trusted Google Sites lure ➡️ User-executed mshta command ➡️ Multi-stage PowerShell delivery ➡️ Steganographic payload extraction from image ➡️ Shellcode deployment ➡️ In-memory execution inside powershell.exe ➡️ Browser, email & wallet data theft ➡️ C2 exfiltration 

Codex lure: https://app.any.run/tasks/151cfb30-5ef2-4962-a90e-58a59ecc43da 

Claude lure: https://app.any.run/tasks/698e0bd5-01b6-40fe-814c-5c0885cea645/

Track related ClickFix activity in ANYRUN TI Lookup, identify additional Codex and Claude lures, and uncover related AI-themed ClickFix activity and infrastructure: 

IOCs 

Codex lure URL: 

hxxps://sites[.]google[.]com/view/cdx-biz-ver-24 

Claude lure URL: 

hxxps://sites[.]google[.]com/view/clau-ver-un-24 

Codex embedded lure domain: 

freshbase11[.]com 

wiseview58[.]com 

Claude embedded lure domain: 

fairpoint29[.]com 

fluxforge97[.]com 

Delivery infrastructure: 

primemetricsa[.]com 

swiftmatrix15[.]com 

creativecommunityinfo[.]art 

C2: 

enhanceblabber[.]cc 

https://preview.redd.it/ltjeh3h0l25h1.png?width=2400&format=png&auto=webp&s=328011dfb02174335b77b87002e6b9e94cd1fcbb

reddit.com
u/ANYRUN-team — 1 month ago

JSMonoGlyphRAT: The Persistent Backdoor Targeting US Businesses

A new backdoor is actively targeting enterprises through phishing emails disguised as purchase orders, quotes, and business proposals. Most AV tools miss it entirely.

Confirmed victims include organizations in the technology, telecom, education, and MSSP sectors. Once inside, attackers can deploy ransomware, steal data, and cause costly business disruption.

Learn how to detect JSMonoGlyphRAT before it turns into business impact: https://any.run/cybersecurity-blog/monoglyphrat-attacks-us-enterprise/

https://preview.redd.it/matkep84kv4h1.png?width=2250&format=png&auto=webp&s=076db5a44c7e83b84bdc189f1a71790cd70fefaf

reddit.com
u/ANYRUN-team — 1 month ago
▲ 7 r/ANYRUN

No Password, No Problem: How Kali365 Is Breaking Into Microsoft 365 Environments at Scale

What is Kali365?

Kali365 is an FBI-flagged PhaaS platform that emerged in April 2026, enabling attackers to compromise Microsoft 365 accounts through AI-powered phishing and automated OAuth token capture.

Why Kali365 Became So Dangerous

  • MFA does not stop it. Its device code phishing method abuses a legitimate Microsoft authentication flow, so MFA is never triggered.
  • Stolen OAuth tokens provide persistent access to Outlook, Teams, and OneDrive without requiring passwords.
  • Post-compromise activity is automated and stealthy: attackers create inbox rules to hide alerts and can register new devices to extend access.
  • Any Microsoft 365 organization is a target. Victims span healthcare, finance, insurance, manufacturing, government, and education worldwide.

How to detect: https://any.run/malware-trends/kali365/

Explore Kali365 campaigns with ANY.RUN

reddit.com
u/ANYRUN-team — 1 month ago

JOMANGY Webshell Enables Long-Term Compromise of VoIP Infrastructure

JOMANGY is an actively used PHP backdoor targeting FreePBX-based VoIP environments with stealth, self-recovery, and VoIP/SIP abuse capabilities.  

Once deployed, it establishes persistent access, creates hidden root accounts, and abuses Asterisk/SIP services for toll fraud operations. Since VoIP systems are deeply integrated into enterprise environments, delayed detection can lead to prolonged unauthorized access, financial loss, and operational disruption. 

The malware relies on stealth and defense-evasion techniques designed to survive cleanup attempts and complicate containment for SOC and IR teams once systems are compromised. MITRE ATT&CK techniques observed include: 

  • Persistence via Cron jobs and Unix shell configuration abuse 
  • Defense evasion through log clearing, timestomping, and firewall modification 
  • Credential access targeting `/etc/passwd` and `/etc/shadow` 
  • Competitive eviction of other webshells from compromised systems 
  • VoIP/SIP abuse supporting toll fraud operations

 

Execution chain: 
Vulnerable FreePBX instance ➡️ Exploit public vulnerabilities ➡️ Bash stager deployment ➡️ JOMANGY webshell deployment ➡️ Multiple persistence mechanisms ➡️ Self-healing loop ➡️ VoIP/SIP abuse 

Sandbox analysis session: https://app.any.run/tasks/6c779f0e-e422-4ef5-9bc7-6a799480cc20/

Related activity in TI Lookup: destinationIP:"160.119.69.4" OR destinationIP:"45.95.147.178"

IOCs: 

URLs: 

hxxp[://]160[.]119[.]69[.]4/x 

hxxp[://]45[.]95[.]147[.]178/x 

hxxp[://]45[.]95[.]147[.]178/z/post/noroot[.]php 

IPs: 

45[.]95[.]147[.]178 

160[.]119[.]69[.]4 

SHA256: 

23a50a27395f2dba028c6d86ef135ba46cf9ebf60ea7c2d2c96dd55db6df9477 

6bca44c29f2d84d49b6bd36f8339bd88d93980d145d9cda4251572828da13862 

da38a0364c737af546a978d4cf71dccb51c837db5395577283c3c1605fa96cbb 

347e9d05feb7736b15a1890c59e006b58f91a1545110398d80ef036fdb9cf4f2 

57ca86c77f0e6c788f1aae7bfb4b66abf22c347ecd3a64af7fa22f726c819433 

04c1141b36518c9965a831c68c6bfcbbb8d4d87c43dc15a1c94e4187f9baff5a 

587248ce91e1596a000a46720e7326863f43680eab53c1a1aefc55e4be0c01d4 

5f2118495bbb74f0946f1476465d717ec5b6f35bf629fd3423f785479fe61202 

49b0327a9c426e173309f52357e0a45a2251a95455965ba1e4fa2a4b517d2591 

798fe047f03fc3f2c90c7e0be764b6cfce47c8310697ec5a380b6ec6bad1f669 

E86cc5a0cde3c8c06a54a03b5155099be836132269cfa458d5ee82165643674b 

https://preview.redd.it/vdp7g669sv3h1.png?width=2160&format=png&auto=webp&s=fccb1d793038c3e973ebbfcd81885cd1bdb8ccb7

reddit.com
u/ANYRUN-team — 1 month ago

Kali365 Activity Surges: Device Code Phishing Is Scaling Fast

We’re seeing a growing Device Code phishing activity, with Kali365 emerging as one of the most active PhaaS. In the last 24 hours alone, ANYRUN recorded 100+ related analysis sessions.

The attack abuses legitimate Microsoft device authentication flows. Victims are shown a user code and instructed to enter it into a real Microsoft device auth page, allowing attackers to capture OAuth access tokens instead of passwords. The risk shifts from credential theft to token abuse, while significantly reducing the number of traditional phishing indicators typically used for detection and triage.

Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/<session_id> for session states such as captured, expired, and declined.

The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow.

See the full phishing flow, validate detection logic, and collect IOCs: https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3

Get an exclusive 10th anniversary deal: https://app.any.run/plans/

https://preview.redd.it/bt5zs4mv1p3h1.png?width=2250&format=png&auto=webp&s=145520fa9562e3d0b20950bf5dfc95e5ca51c94f

reddit.com
u/ANYRUN-team — 1 month ago