We’re tracking widespread ClickFix activity using compromised legitimate websites to deliver fileless malware, lowering suspicion and delaying detection.

Finance, banking, healthcare, manufacturing, and tech are among the most exposed industries.

The activity looks low-risk until fileless execution and outbound C2 traffic are already established. Attackers inject a lightweight inline JavaScript loader into compromised sites, which retrieves a second-stage payload directly into the victim’s browser from external infrastructure.

The attack chain blends into normal web traffic, relies on PowerShell and in-memory execution, and later shifts C2 communication into the legitimate system process svchost.exe, making malicious activity harder to distinguish from routine system behavior for SOC and MSSP teams.

ANYRUN Sandbox helps teams validate suspicious activity faster and contain fileless attacks before they escalate. Analysts can observe the full execution chain in real time:

Inline JS loader ➡️ User-executed PowerShell (IEX/IRM) ➡️ Hidden second-stage PowerShell and loader retrieval ➡️ Fileless in-memory execution inside powershell.exe ➡️ Follow-on .NET payload delivery ➡️ svchost.exe injection ➡️ Custom TCP C2 🚨

Scale your SOC with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/

IOCs:
/jsrepo?rnd=
/teamrepo?rnd=

ntdnewtds[.]shop
dnsnewtds[.]shop
sdntds[.]shop
newtdsone[.]shop
nttdss[.]shop
Dntds[.]shop

178[.]16[.]52[.]232
158[.]94[.]208[.]92
158[.]94[.]208[.]104
91[.]92[.]243[.]161

https://preview.redd.it/5jwy0net9c2h1.png?width=2400&format=png&auto=webp&s=f6d5c17562f9aa5e66af0fe053d38a567f81137a

https://preview.redd.it/mu9t1g5u9c2h1.png?width=2400&format=png&auto=webp&s=016674346a1aed8b6ffbd86c4f65f33783fce69b

Hello everyone! I’m the CISO at ANYRUN, a company behind Interactive Sandbox and Threat Intelligence solutions used by 15,000+ organizations, 600,000 security professionals, and security teams at Fortune 100 companies worldwide.

This May, ANYRUN is celebrating its 10th anniversary. From May 18 to May 31, we’re running special anniversary offers across our core threat analysis and intelligence solutions.

To celebrate this milestone, we decided to host this AMA specifically for CISOs and security leaders.

Today, I’d be happy to answer your questions and discuss:

• cybersecurity strategy, risk management, and GRC
• compliance as a business enabler
• AI security and emerging cyber threats
• identity security, Zero Trust, and access governance
• vulnerability management and security operations

The AMA will take place on May 20–21, but feel free to leave your questions later as well. I’ll continue checking the thread throughout the week and will try to answer as many questions as possible.

Drop your questions in the comments!

Ten years in cybersecurity is a long journey. Threats have evolved, attacks have become harder to detect, and security teams need answers faster than ever.

ANYRUN has grown with those teams. What started as an interactive sandbox is now a trusted company with threat analysis and intelligence solution used by 15,000+ organizations, 600,000 security professionals, and teams at Fortune 100 companies worldwide. 

To celebrate, we’re launching special offers across Interactive Sandbox and Threat Intelligence solutions, including extra months, discounts, exclusive pricing, and more value for your team. 

Learn more about our anniversary offers: https://any.run/cybersecurity-blog/anyrun-10th-anniversary-offers/

https://preview.redd.it/xvy8xkt7432h1.png?width=2048&format=png&auto=webp&s=770028858a57aff3a07761aa2e61ebc16d128c3f

New SOC-ready Tier 1 reports transform complex sandbox analysis into structured, decision-ready intelligence for faster and more efficient triage, escalation, response, and reporting.

Each Tier 1 report includes:

• A clear verdict on the analyzed sample
• An AI Summary with threat classification and executive overview
• Key IOCs and behavioral indicators
• MITRE ATT&CK mapping

Reports can be generated directly in the Interactive Sandbox with a single click, making sandbox analysis instantly usable across operational workflows. 

Explore hands-on use cases: https://any.run/cybersecurity-blog/soc-ready-reporting/

https://preview.redd.it/b3o6lkpkrv1h1.png?width=1272&format=png&auto=webp&s=0144c62c28c1513af78b8cd82f4c318bdc761af3

We constantly hear about major threats like supply chain attacks, phishing, and zero days. Everyone knows about them, and they usually get a lot of attention and priority.

But what are the risks companies still tend to underestimate?

Maybe it’s gaps in internal processes or something else that seems low priority until it causes serious damage. Have you seen cases like this in your own experience?

Cyberattacks against financial institutions evolve faster than most security teams can adapt. Phishing, evasive malware, account takeover, and ransomware campaigns continue to pressure SOCs with high alert volumes and strict compliance requirements.

Modern financial SOC teams rely on proactive security solutions like ANYRUN for:

• Live, actionable IOCs from 15K SOCs and real-time investigations
• Interactive Sandbox analysis that exposes full attack chains and evasive malware behavior
• Rich threat context that helps analysts prioritize critical incidents in seconds
• Faster investigations that reduce dwell time and minimize financial and reputational impact
• Comprehensive threat intelligence that supports compliance and proactive defense

Identify up to 58% more threats, reduce Tier 1 workload by up to 20%, and shorten response cycles without increasing headcount: https://any.run/by-industry/finance/

https://preview.redd.it/kddd2g1ux21h1.png?width=2400&format=png&auto=webp&s=b50b0c4d049425eeafe566d96364bf1fed518b22

A phishing attack starting from an Outlook email redirects victims to a fake Word Online / OneDrive page, leading to stealthy remote access under the guise of a document preview.

Instead of traditional malware loaders, the chain relies on legitimate tools to establish remote access while blending into normal corporate activity. This reduces visibility for traditional detection and increases the risk of delayed detection and prolonged attacker presence.

In ANYRUN Sandbox, analysts can observe high-value detection signals early in the execution chain, including suspicious document-delivery domains, silent software installation behavior, intermediate deployment stages, and utilities used to hide installed programs.

These artifacts help teams build detections around trusted-tool abuse, suspicious command-line behavior, and phishing infrastructure instead of relying only on file hashes.

Execution chain:

Outlook .eml ➡️ Word Online phishing page ➡️ MSI installer ➡️ Ninite /silent execution ➡️ Remote access via ScreenConnect ➡️ Activity concealment via HideUL 

See the full attack flow and collect IOCs to improve detection coverage.

Explore related activity and validate hunting patterns using this TI Lookup query: filePath:".eml" AND threatName:"phishing" AND (threatName:"^rat$" OR threatName:"^rmm-tool$")

https://preview.redd.it/p65u2m74vw0h1.png?width=1080&format=png&auto=webp&s=6e6d0000fa6d62a37f6ff433ab830c535639d256

A phishing attack starting from an Outlook email redirects victims to a fake Word Online / OneDrive page, leading to stealthy remote access under the guise of a document preview.

Instead of traditional malware loaders, the chain relies on legitimate tools to establish remote access while blending into normal corporate activity. This reduces visibility for traditional detection and increases the risk of delayed detection and prolonged attacker presence.

In ANYRUN Sandbox, analysts can observe high-value detection signals early in the execution chain, including suspicious document-delivery domains, silent software installation behavior, intermediate deployment stages, and utilities used to hide installed programs.

These artifacts help teams build detections around trusted-tool abuse, suspicious command-line behavior, and phishing infrastructure instead of relying only on file hashes.

Execution chain:

Outlook .eml ➡️ Word Online phishing page ➡️ MSI installer ➡️ Ninite /silent execution ➡️ Remote access via ScreenConnect ➡️ Activity concealment via HideUL 

See the full attack flow and collect IOCs to improve detection coverage.

Explore related activity and validate hunting patterns using this TI Lookup query: filePath:".eml" AND threatName:"phishing" AND (threatName:"^rat$" OR threatName:"^rmm-tool$")

Strengthen your SOC, detect complex threats faster, and boost team performance with ANYRUN.

https://preview.redd.it/8s68kooniw0h1.png?width=2250&format=png&auto=webp&s=48fa5545ce7ba3ffb078dc30ddbbf21861fc0972

Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk. This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network.

The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable. 

ANY.RUN Sandbox exposed in-memory phishing, enabling faster detection and response. See how the attack unfolds

Explore full technical breakdown to understand detection gaps and validate your coverage.

https://preview.redd.it/4aivcc7uspzg1.png?width=2400&format=png&auto=webp&s=5f5657c2c46d4e39fc862d7e68385f43c5accb7d

Compromised accounts enable BEC, data exfiltration, and lateral movement, creating direct financial and operational risk.

This campaign generates phishing pages directly inside the browser using blob objects instead of loading them over the network. The payload exists entirely in memory, which breaks network visibility and makes traditional detection unreliable.

ANY.RUN Sandbox helps SOC teams observe this behavior, exposing in-memory phishing and enabling faster detection and response. See how the attack unfolds and collect IOCs

Explore full technical breakdown to understand detection gaps, validate your coverage, and strengthen phishing defenses.

https://preview.redd.it/wphik2zysizg1.png?width=2400&format=png&auto=webp&s=f0a8ffaac35ada5eba1c9a36519c42032767928c

A huge part of the queue ends up being noise, but analysts still have to spend time reviewing and triaging it. Over time, that affects everything: response speed, investigation quality and overall efficiency.

What makes it harder is that once the volume gets high enough, teams naturally start moving faster just to keep up. And that’s where important detections can get buried or downgraded.

What has made the biggest difference for your team when it comes to reducing unnecessary alerts?

Reaching a higher level of SOC maturity comes down to making better, more consistent decisions during malware and phishing investigations.

That requires rethinking how threat intelligence is used: not just as a reference, but as a core part of the decision-making process.

To move from reactive to confidently proactive security, you need a threat intelligence workflow that:

• addresses key challenges like alert fatigue and visibility gaps
• integrates seamlessly into SOC workflows and supports them
• delivers compounding value as part of a unified system

Learn how you can adopt behavioral TI to reduce MTTR and business risk: https://any.run/cybersecurity-blog/soc-maturity-with-threat-intelligence/

https://preview.redd.it/ture6c14p4zg1.png?width=2048&format=png&auto=webp&s=e1fef6f3b8d4990254ba59c5ccb3721230e5dda1

MicroStealer is a rapidly emerging infostealer that spreads quickly while maintaining low detection rates. It uses a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.

MicroStealer: Key Features

1. MicroStealer uses a layered NSIS → Electron → Java chain for evasion and rapid spread.
2. It steals more than passwords, focusing on browser sessions, cookies, screenshots, and wallets for immediate impact.
3. Low AV detection + redundant exfiltration (Discord + C2) enable quick, reliable data theft.
4. Session hijacking turns endpoint compromise into persistent enterprise access.
5. Behavior-based sandbox analysis is essential for early detection of emerging stealers.
6. Proactively defend with ANY.RUN's Threat Intelligence Lookup for instant IOC/variant hunting and Threat Intelligence Feeds for real-time campaign visibility and automated protection: threatName:"microstealer".

Read the full article to learn how to detect it early: https://any.run/malware-trends/microstealer/

Malware overview in TI Lookup: landscape, IOCs, and more

A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP interception and RMM deployment, enabling direct remote access.

Activity is concentrated in the U.S., with 𝗵𝗶𝗴𝗵 𝗿𝗶𝘀𝗸 𝗮𝗰𝗿𝗼𝘀𝘀 𝗯𝗮𝗻𝗸𝗶𝗻𝗴, 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁, 𝘁𝗲𝗰𝗵, 𝗮𝗻𝗱 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲, indicating broad exposure across business-critical sectors.

Some phishing pages show signs of AI-assisted generation, while embedded code reveals reuse of common phishing kits, allowing attackers to scale and rapidly create new lures.

The risk goes beyond phishing. 𝗥𝗲𝗺𝗼𝘁𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗰𝗼𝗿𝗽𝗼𝗿𝗮𝘁𝗲 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 𝗶𝘀 𝗲𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘁𝗼𝗼𝗹𝘀 like ScreenConnect, ITarian, and Datto RMM, while infrastructure and domains are designed to look trustworthy, delaying detection and increasing attacker dwell time.

The flow starts with a CAPTCHA page, followed by a fake “event invitation” and then splits into two paths: credential harvesting via phishing login pages or RMM installation.
In this case, the download starts automatically, establishing access early in the execution chain, before user awareness. See how the full flow unfolds, from initial redirect to remote access delivery: https://app.any.run/tasks/4c2687da-1426-43c3-8e16-868f90fb9361/

Despite infrastructure changes, the campaign relies on repeatable patterns: consistent URL structure across phishing domains, fixed resource paths like /Image/*.png, and sequential requests such as /favicon.ico ➡️ /blocked.html ➡️ phishing content. 

Explore these patterns, uncover related activity, and pivot from IOCs in TI Lookup.

https://preview.redd.it/n8btt5lov6yg1.png?width=1080&format=png&auto=webp&s=4d8eb9638625a2abe3e2cc4eab9fc664efed53bc

https://preview.redd.it/kiwfn9kpv6yg1.png?width=1080&format=png&auto=webp&s=5c73dc5125e974a307b7bf3bcc48eff0119c2d59

A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP interception and RMM deployment, enabling direct remote access.

Activity is concentrated in the U.S., with 𝗵𝗶𝗴𝗵 𝗿𝗶𝘀𝗸 𝗮𝗰𝗿𝗼𝘀𝘀 𝗯𝗮𝗻𝗸𝗶𝗻𝗴, 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁, 𝘁𝗲𝗰𝗵, 𝗮𝗻𝗱 𝗵𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲, indicating broad exposure across business-critical sectors.

Some phishing pages show signs of AI-assisted generation, while embedded code reveals reuse of common phishing kits, allowing attackers to scale and rapidly create new lures.

The risk goes beyond phishing. 𝗥𝗲𝗺𝗼𝘁𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗰𝗼𝗿𝗽𝗼𝗿𝗮𝘁𝗲 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 𝗶𝘀 𝗲𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗲𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘁𝗼𝗼𝗹𝘀 like ScreenConnect, ITarian, and Datto RMM, while infrastructure and domains are designed to look trustworthy, delaying detection and increasing attacker dwell time.

The flow starts with a CAPTCHA page, followed by a fake “event invitation” and then splits into two paths: credential harvesting via phishing login pages or RMM installation.
In this case, the download starts automatically, establishing access early in the execution chain, before user awareness. See how the full flow unfolds, from initial redirect to remote access delivery: https://app.any.run/tasks/4c2687da-1426-43c3-8e16-868f90fb9361/

With ANYRUN Sandbox and Threat Intelligence, analysts can safely reconstruct the full attack chain and identify related patterns across campaigns. This enables earlier confirmation of phishing activity, reduces MTTD, and helps contain incidents before impact.

Early-stage signals make this campaign detectable. These appear before credentials are entered and are visible in ANYRUN Sandbox at the start of the execution chain, enabling faster and more confident response decisions.

Despite infrastructure changes, the campaign relies on repeatable patterns: consistent URL structure across phishing domains, fixed resource paths like /Image/*.png, and sequential requests such as /favicon.ico ➡️ /blocked.html ➡️ phishing content. 

Explore these patterns, uncover related activity, and pivot from IOCs in TI Lookup.

https://preview.redd.it/2au4ubkgj5yg1.png?width=2400&format=png&auto=webp&s=0db84882cfa2b852bc9055617fdfd8645d0a00dc

https://preview.redd.it/9dp5iuchj5yg1.png?width=2400&format=png&auto=webp&s=3300c7b193164ddac23e9a4643ae24b1a8045e92

EvilTokens is a PhaaS toolkit that automates device code phishing attacks against Microsoft 365 and Entra ID environments. Unlike traditional credential-harvesting phishing, EvilTokens tricks users into completing legitimate authentication on Microsoft's own login pages, resulting in the issuance of valid OAuth access and refresh tokens directly to the attacker, effectively bypassing MFA without stealing passwords.

• As a PhaaS kit sold on Telegram, it democratizes sophisticated attacks, enabling rapid scaling with minimal technical skill.
• AI-powered features generate convincing lures and automate BEC, increasing both volume and success rates.
• Persistent refresh tokens allow long-term access, device registration, and silent authentication across M365 services.
• Organizations in finance, government, healthcare, and other M365-heavy sectors are prime targets globally.

 

Security teams can query ANYRUN's Threat Intelligence Lookup for known EvilTokens domains, URLs, and infrastructure indicators in real time: destinationIP:"75.98.162.49".

See the full article and analysis session: https://any.run/malware-trends/eviltokens/

Malicious IP linked to EvilTokens

Redirect chains, fake CAPTCHA, and fast-changing delivery paths make traditional detection unreliable. By the time credentials are targeted, the signal is already lost, which creates a critical gap in triage. The key is detecting phishing earlier, while patterns are still stable, before the flow fully unfolds.

Here are two examples showing how early-stage signals help identify phishing activity before it escalates:

1. 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲

The chain starts from a Google link leading to a compromised site. A hidden HTML page extracts victim data from the URL fragment and triggers a redirect before any user interaction. Analysis session.

In TI Lookup, this activity can be traced by searching for URL fragments containing the #...Family= parameter, which is used to pass victim data and drive redirection. This helps uncover similar samples and track reuse across campaigns.

Use this query to pivot from this signal and uncover related activity.

2. 𝗙𝗮𝗸𝗲 𝗖𝗔𝗣𝗧𝗖𝗛𝗔 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆
   After the initial redirect, the victim is presented with a legit-looking CAPTCHA to build trust before being redirected to a phishing page, a fake Microsoft login page powered by EvilProxy. Analysis session.

Detection here relies on consistent URL parameters (v, session, cid, iat, loc, build) that appear early in the execution chain. Searching for this structure helps surface related signals and build early-stage detection, reducing MTTD, improving coverage and MTTR.

Use this query to surface related phishing activity and validate detection patterns.

𝗬𝗼𝘂 𝗰𝗮𝗻 𝗻𝗼𝘄 𝘁𝗲𝘀𝘁 𝗧𝗜’𝘀 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝘁𝗿𝗶𝗮𝗴𝗲, 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝗶𝗻 𝘆𝗼𝘂𝗿 𝘄𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀. With 20 premium search requests available, SOC and MSSP teams can validate activity against real-world data, reduce uncertainty, and make faster, evidence-based decisions.

IOCs:
URL patterns:
hxxps://<redirector_site>/*#<8 digits>Family=<base64-victim email>
hxxps://<phishing_domain>/?v=<hexadec_chars>&session=<session_id>&cid=<client_id>&iat=<digits>&loc=<location_code>&build=<build_version>

Domains:
kjcleaningservices[.]com[.]au
starllamerchantservices[.]club
lavor[.]sbs
echosign[.]co[.]it
dspconsulting[.]eu

https://preview.redd.it/975761ajkzwg1.png?width=1080&format=png&auto=webp&s=17639d2d60919a8842888db32f37f580dc0e754b

Redirect chains, fake CAPTCHA, and fast-changing delivery paths make traditional detection unreliable. By the time credentials are targeted, the signal is already lost, which creates a critical gap in triage. The key is detecting phishing earlier, while patterns are still stable, before the flow fully unfolds.

With ANYRUN TI Lookup, teams can move from isolated indicators to full context, identify attack patterns, and validate detection logic against real attack data from 15K+ organizations.

Here are two examples showing how early-stage signals help identify phishing activity before it escalates:

1. 𝗥𝗲𝗱𝗶𝗿𝗲𝗰𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲

The chain starts from a Google link leading to a compromised site. A hidden HTML page extracts victim data from the URL fragment and triggers a redirect before any user interaction. Analysis session.

In TI Lookup, this activity can be traced by searching for URL fragments containing the #...Family= parameter, which is used to pass victim data and drive redirection. This helps uncover similar samples and track reuse across campaigns.

Use this query to pivot from this signal and uncover related activity.

2. 𝗙𝗮𝗸𝗲 𝗖𝗔𝗣𝗧𝗖𝗛𝗔 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆
   After the initial redirect, the victim is presented with a legit-looking CAPTCHA to build trust before being redirected to a phishing page, a fake Microsoft login page powered by EvilProxy. Analysis session.

Detection here relies on consistent URL parameters (v, session, cid, iat, loc, build) that appear early in the execution chain. Searching for this structure helps surface related signals and build early-stage detection, reducing MTTD, improving coverage and MTTR.

Use this query to surface related phishing activity and validate detection patterns.

𝗬𝗼𝘂 𝗰𝗮𝗻 𝗻𝗼𝘄 𝘁𝗲𝘀𝘁 𝗧𝗜’𝘀 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝘁𝗿𝗶𝗮𝗴𝗲, 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, 𝗮𝗻𝗱 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝗶𝗻 𝘆𝗼𝘂𝗿 𝘄𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀. With 20 premium search requests available, SOC and MSSP teams can validate activity against real-world data, reduce uncertainty, and make faster, evidence-based decisions.

https://preview.redd.it/vvvkawa4txwg1.png?width=2400&format=png&auto=webp&s=fbb5514c9e41f6c7ca48bff365e8347cd02e69c4