{"id":12361,"date":"2025-03-27T11:11:33","date_gmt":"2025-03-27T11:11:33","guid":{"rendered":"\/cybersecurity-blog\/?p=12361"},"modified":"2025-03-28T08:19:08","modified_gmt":"2025-03-28T08:19:08","slug":"threat-intelligence-from-organizations","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/","title":{"rendered":"How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations"},"content":{"rendered":"\n<p>Cyber threat intelligence is all about data: its collection, exploration and research, extracting actionable insight. If you employ any intelligence solution, it is vital to understand what data sources it relies on and what kind of information they deliver.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In ANY.RUN\u2019s <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/intelligence.any.run\/feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktotifeeds\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a>, we leverage fresh data from millions of sandbox analyses performed by thousands of organizations and hundreds of thousands of researchers.<\/p>\n\n\n\n<p>Here is how it works.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Where Threat Intelligence Comes From&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-1024x604.png\" alt=\"\" class=\"wp-image-12394\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-1536x906.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1-740x436.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/ti_mitre_one-1.png 1826w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup lets you access<\/em> <em>fresh<\/em> <em>threat intelligence on active malware and phishing attacks<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Over 500,000 security professionals worldwide, including <a href=\"https:\/\/any.run\/cybersecurity-blog\/sandbox-for-every-tier\/\" target=\"_blank\" rel=\"noreferrer noopener\">SOC teams<\/a> from 15,000 companies, use ANY.RUN\u2019s <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> daily to analyze suspicious links and files related to the latest cyber attacks. They check alleged <a href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing emails<\/a>, explore potential breach attempts, investigate incidents, and collect critical insights into malicious behavior.&nbsp;<\/p>\n\n\n\n<p>Thanks to ANY.RUN\u2019s proprietary technology, we extract <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-in-ti-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs, IOAs, IOBs<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TTPs<\/a> from the analyzed samples and enrich Threat Intelligence Lookup and TI Feeds with a continuous inflow of threat data which is:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real and Exclusive<\/strong>: Companies submit files and URLs related to actual attacks on their infrastructure. The data extracted from these submissions is often unique and cannot be found&nbsp;in any other sources. &nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Up-to-date<\/strong>: The data belongs to recent or ongoing cyber attacks, including active campaigns and emerging malware.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Actionable<\/strong>: SOC teams often submit samples as part of proactive threat hunting or incident response, contributing to a dataset that helps you predict and prevent future attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFuel your proactive defense with top threat intelligence<br>Get 50 trial requests in<span class=\"highlight\"> ANY.RUN&#8217;s TI Lookup<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat_intel_from_companies&#038;utm_term=270325&#038;utm_content=linktolookup\" rel=\"noopener\" target=\"_blank\">\nTry now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">How Data From 15,000 Businesses Helps Yours&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-1024x600.png\" alt=\"\" class=\"wp-image-12392\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-1536x901.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/feeds_one.png 1837w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN provides free TI Feeds samples in STIX and MISP<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The wealth of data on the latest cyber threats available in <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a> enables organizations like yours to: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Quickly Detect and Prevent Attacks <\/strong>avoiding operational disruption and further damage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enhance SOC Efficiency<\/strong> providing teams with access to current and relevant data and enabling them to defend company\u2019s assets and infrastructure proactively. &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Boost Mitigation and Response<\/strong> minimizing the cost of incident, financial and reputational losses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You can investigate, search, and get a direct stream of IOCs, IOAs, and IOBs in your company to strengthen your proactive defenses against ongoing malware and phishing attacks. &nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nExpand threat coverage in your organization<br>Integrate <span class=\"highlight\">TI Feeds from ANY.RUN<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat_intel_from_companies&#038;utm_term=270325&#038;utm_content=linktotifeeds\" rel=\"noopener\" target=\"_blank\">\nStart with demo sample\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Examples of Unique Threat Intelligence on Active Cyber Attacks&nbsp;<\/h2>\n\n\n\n<p>One of the scenarios where threat data from companies serves other companies through the agency of ANY.RUN\u2019s tools is industry-wide malware campaigns. Organizations that were the first to face incidents help others to anticipate and prevent them. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Interlock Ransomware Attacks on US Healthcare&nbsp;&nbsp;<\/h3>\n\n\n\n<p>In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data.<\/p>\n\n\n\n<p>Threat Intelligence Lookup had data on the threat <a href=\"https:\/\/any.run\/cybersecurity-blog\/interlock-ransomware-attack-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">almost one month before the first reports emerged<\/a>. This helped our users take preventative measures long before public alerts were raised. For example, one of the malicious domains that distributed the ransomware appeared in submitted samples in September.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktolookup#%257B%2522query%2522:%2522domainName:%255C%2522apple-online.shop$%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;apple-online.shop$&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"729\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-1024x729.png\" alt=\"\" class=\"wp-image-12371\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-1024x729.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-300x214.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-768x547.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-1536x1093.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-370x263.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-270x192.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27-740x527.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image-27.png 2040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The earliest samples with Interlock ransomware found via TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Beside gathering IOCs for monitoring, detection and alerts, the security teams were able to see inside sandbox emulations how malicious websites and pages looked like and train employees to recognize and avoid similar threats in the future.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-1024x570.png\" alt=\"\" class=\"wp-image-12372\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-1536x854.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-2048x1139.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image2-3-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious website opened in the Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Finally, ANY.RUN\u2019s data managed to enrich the understanding of attacks and their evolution.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"262\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2.png\" alt=\"\" class=\"wp-image-12373\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2-300x77.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2-768x197.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2-370x95.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2-270x69.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/image3-2-740x189.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN reports with analysis of Interlock\u2019s fake updater programs<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe).<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Enrich your threat knowledge with TI Lookup\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to Track Emerging Cyber Threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nCheck out expert guide to collecting intelligence on emerging threats with <span class=\"highlight\">TI Lookup<\/span>\n\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Nitrogen Ransomware Attacks on Fintech&nbsp;<\/h3>\n\n\n\n<p>Financial services have been one of cybercriminals&#8217; most targeted sectors in recent years. The case with the Nitrogen ransomware group is pretty much similar to that with Interlock in healthcare. Thanks to thousands of companies using ANY.RUN, the information on the new threat appeared quickly in our services, and more companies had the opportunity to protect themselves, set up detection and alerts. &nbsp;<\/p>\n\n\n\n<p>The group was first reported about half a year ago, months after the attack unfolded, and the information about it is still scarce. The more valuable is this data from Threat Intelligence Lookup, which allows users to interconnect, contextualize, and further explore it. &nbsp;&nbsp;<\/p>\n\n\n\n<p>For example, the first analytic report on Nitrogen group from <a href=\"https:\/\/streamscan.ai\/en\/ressources\/analyse-du-rancongiciel-nitrogen\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">StreamScan<\/a> mentions the file <strong>truesight.sys<\/strong>&nbsp;in their attack dissection. This is a legitimate driver, one of those that are often abused by malefactors to bypass detection. The StreamScan report, however, does not contain or link to any malware samples and analyses that feature the abuse of this driver.<\/p>\n\n\n\n<p>We can use the following query in TI Lookup to find relevant samples:<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522truesight.sys%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;truesight.sys&#8221;<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-1024x600.png\" alt=\"\" class=\"wp-image-12374\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-1536x901.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/03\/comman_true.png 1840w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup contains numerous samples belonging to Nitrogen attacks<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can search for this file via TI Lookup, find dozens of analysis tasks where the driver was spotted, see how the malware behaves, and what IOCs are associated with truesight.sys abuse. And of course we can find other malware with similar mechanics. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Threat Intelligence Lookup and TI Feeds offer a wealth of threat data on the latest cyber attacks. From IOCs, IOAs, IOBs to TTPs, you can easily gain valuable context on any piece of intelligence and get a constant stream of up-to-date indicators directly to your detection systems. With ANY.RUN, you get actionable threat intelligence to help your businesses build strong, scalable, and efficient protection against ongoing and emerging threats. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_intel_from_companies&amp;utm_term=270325&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request trial of ANY.RUN&#8217;s services to test them in your organization \u2192<\/a>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyber threat intelligence is all about data: its collection, exploration and research, extracting actionable insight. If you employ any intelligence solution, it is vital to understand what data sources it relies on and what kind of information they deliver.&nbsp;&nbsp; In ANY.RUN\u2019s Threat Intelligence Lookup and TI Feeds, we leverage fresh data from millions of sandbox [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":12386,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,54],"class_list":["post-12361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-features"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Access Cyber Threat Intel from 15,000 Companies in TI Lookup<\/title>\n<meta name=\"description\" content=\"Discover how ANY.RUN provides cyber threat intelligence enriched by the IOCs and IOBs from the latest malware analyzed by 15,000 companies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations\",\"datePublished\":\"2025-03-27T11:11:33+00:00\",\"dateModified\":\"2025-03-28T08:19:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\"},\"wordCount\":1088,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\",\"name\":\"Access Cyber Threat Intel from 15,000 Companies in TI Lookup\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-03-27T11:11:33+00:00\",\"dateModified\":\"2025-03-28T08:19:08+00:00\",\"description\":\"Discover how ANY.RUN provides cyber threat intelligence enriched by the IOCs and IOBs from the latest malware analyzed by 15,000 companies.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Access Cyber Threat Intel from 15,000 Companies in TI Lookup","description":"Discover how ANY.RUN provides cyber threat intelligence enriched by the IOCs and IOBs from the latest malware analyzed by 15,000 companies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations","datePublished":"2025-03-27T11:11:33+00:00","dateModified":"2025-03-28T08:19:08+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/"},"wordCount":1088,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/","url":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/","name":"Access Cyber Threat Intel from 15,000 Companies in TI Lookup","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-03-27T11:11:33+00:00","dateModified":"2025-03-28T08:19:08+00:00","description":"Discover how ANY.RUN provides cyber threat intelligence enriched by the IOCs and IOBs from the latest malware analyzed by 15,000 companies.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How We Enrich TI Lookup and Feeds with Fresh Threat Data from 15,000 Organizations"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12361"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12361"}],"version-history":[{"count":23,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12361\/revisions"}],"predecessor-version":[{"id":12409,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12361\/revisions\/12409"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12386"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}