{"id":14055,"date":"2025-06-04T11:24:38","date_gmt":"2025-06-04T11:24:38","guid":{"rendered":"\/cybersecurity-blog\/?p=14055"},"modified":"2025-06-17T12:34:05","modified_gmt":"2025-06-17T12:34:05","slug":"how-to-investigate-government-cyber-attacks","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/","title":{"rendered":"Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN\u00a0for Fast Response"},"content":{"rendered":"\n<p>Government institutions worldwide face a growing number of sophisticated cyberattacks. This case study examines how <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s solutions<\/a> can be leveraged to detect, analyze, and mitigate cyber threats targeting government organizations.&nbsp;<\/p>\n\n\n\n<p>By analyzing real-world threats, we demonstrate how ANY.RUN\u2019s <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>, <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> assist cybersecurity teams in identifying attack vectors, tracking malicious activities, and enhancing organizational resilience.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Case Studies&nbsp;<\/h2>\n\n\n\n<p>We will explore several attack scenarios where adversaries impersonate government structures to gain initial access:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A phishing email sent to the Department of Employment and Workforce (a U.S. government agency responsible for helping with employment and paying unemployment insurance benefits).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A domain imitating the official website of the U.S. Social Security Administration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A malicious PDF disguised as a court notice from the South African Judiciary.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">1. Phishing Email Targeting South Carolina Department of Employment and Workforce&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s take up the role of a cybersecurity officer at the department and try to understand who is targeting the organization, what malware is used, and what delivery methods are applied. &nbsp;<br>&nbsp;<br>A YARA rule is created to search emails with recipients from the domain dew.sc.gov analyzed in ANY.RUN sandbox. It identified 33 files and their analyses featuring email addresses on dew.sc.gov.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-1024x523.png\" alt=\"\" class=\"wp-image-14063\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-1024x523.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-1536x785.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-2048x1046.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-740x378.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>YARA rule search of email analyses by domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>These results help to better understand threats targeting the agency:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Study subject lines, attachment types, and delivery methods.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify malware and tools used for attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collect artifacts (hashes, URLs, IPs) for filtering and monitoring.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect recurring techniques to improve protection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s <a href=\"https:\/\/app.any.run\/tasks\/583e3d2f-876e-4b57-8bee-879d4cdbb45c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">view one of the sandbox analyses<\/a> linked to the detected files: &nbsp;<br>&nbsp;<br>In April 2025, a phishing email was uploaded to ANY.RUN, targeting an employee at the South Carolina DEW. The email, sent from @163.com domain, contained a malicious ZIP attachment named &#8220;Quotation.zip&#8221; (658 KB).&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"596\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-1024x596.png\" alt=\"\" class=\"wp-image-14139\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-1024x596.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-768x447.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2-740x431.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-2.png 1124w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The malicious email as seen by a user<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We can run a <a href=\"https:\/\/app.any.run\/tasks\/0e98323b-9eda-462e-9e02-222e03ced6e6\" target=\"_blank\" rel=\"noreferrer noopener\">separate analysis of the email in the Sandbox.<\/a> First of all, header analysis shows that the email failed SPF, DKIM, and DMARC checks \u2014 the IP address wasn&#8217;t authorized for sending from 163.com, and no DKIM signature was present. <\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect phishing and malware threats faster<br>with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=government_investigations&#038;utm_term=040625&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The IP can be used as an IOC and subjected to reputation checks.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"628\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-1024x628.png\" alt=\"\" class=\"wp-image-14119\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-1024x628.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-1536x942.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-2048x1256.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-1-740x454.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Email sender IP fails verification<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The email attachment that includes an executable file, &#8220;Quotation.exe\u201d, has been flagged as a stealer by ANY.RUN\u2019s signatures even before execution. The malware was identified as <a href=\"https:\/\/any.run\/malware-trends\/formbook\/\" target=\"_blank\" rel=\"noreferrer noopener\">FormBook<\/a>, with behaviors mapped to <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK<\/a> techniques T1552.001 (Credentials in Files) and T1518 (Software Discovery). The execution chain is visualized in the Graph section:&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"332\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-1024x332.png\" alt=\"\" class=\"wp-image-14069\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-1024x332.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-300x97.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-768x249.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-370x120.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-270x87.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-740x240.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5.png 1297w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Processes graph<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"527\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6.png\" alt=\"\" class=\"wp-image-14071\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6.png 720w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-300x220.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-370x271.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-270x198.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-80x60.png 80w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><figcaption class=\"wp-element-caption\"><em>The detailed process involving FormBook activity<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Network traffic analysis confirmed FormBook activity through <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata rules<\/a> detecting characteristic HTTP headers.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"767\" height=\"461\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7.png\" alt=\"\" class=\"wp-image-14073\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7.png 767w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-300x180.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-370x222.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-740x445.png 740w\" sizes=\"(max-width: 767px) 100vw, 767px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata stealer detection<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">How to Find Similar Emails via ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>And now let us scale up to exploring the landscape of similar attacks, the patterns they follow, and to understanding the urgency of such threats for government agencies in the USA. A TI Lookup search was run for FormBook samples uploaded for sandbox analysis by users from the USA and delivered to them by email opened via Outlook: &nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522FormBook%255C%2522%2520and%2520submissionCountry:%255C%2522US%255C%2522%2520and%2520commandLine:%255C%2522outlook.exe%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;FormBook&#8221; and submissionCountry:&#8221;US&#8221; and commandLine:&#8221;outlook.exe&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"703\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-1024x703.png\" alt=\"\" class=\"wp-image-14075\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-1024x703.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-300x206.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-768x527.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-1536x1054.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-2048x1406.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-370x254.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-270x185.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-740x508.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup search for emails with FormBook stealer received by US users<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>12 sandbox analysis sessions were found \u2014 each containing unique indicators like hashes, IPs, C2 calls, and email content. This data can be used for deriving context and tracking repetitive techniques.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nUncover critical threat context for faster triage and response<br>with <span class=\"highlight\">ANY.RUN&#8217;s Threat Intelligence Lookup<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=government_investigations&#038;utm_term=040625&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nGet 50 trial requests\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Broader analysis is available using YARA Search for .gov email recipients in 2025 to identify malicious activity targeting US state agencies:&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"810\" height=\"738\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9.png\" alt=\"\" class=\"wp-image-14077\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9.png 810w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-300x273.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-768x700.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-370x337.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-270x246.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-740x674.png 740w\" sizes=\"(max-width: 810px) 100vw, 810px\" \/><figcaption class=\"wp-element-caption\"><em>At least 2,500+ emails received by .gov recipients by mid-2025<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Not all the found letters are malicious, but many reflect current phishing tactics recruited against government bodies.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Custom YARA rules can be adjusted for relevance: change conditions, add filters, and thus create a selection of emails relevant to an organization\u2019s threat profile.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. Fraudulent Domain Mimicking the U.S. Social Security Administration&nbsp;<\/h2>\n\n\n\n<p>Next, we simulate the role of a SOC analyst at the U.S. SSA and research phishing domains that impersonate our entrusted agency. How do the documents these domains host look and feel, what payloads they disseminate, and what tactics and methods adversaries use?&nbsp;&nbsp;<\/p>\n\n\n\n<p>Via TI Lookup, we search for domains flagged as malicious and containing ssagov.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522domainName:%255C%2522*ssagov*%255C%2522%2520and%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;<em>ssagov<\/em>&#8221; and threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p>The search returned 22 sandbox analyses, with 7 unique potentially malicious domains. This indicates attackers actively spoof SSA for phishing. Exploring these campaigns allows SOC teams to gather indicators, set up detection systems, and enhance triage and response.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For example, an Interactive Sandbox <a href=\"https:\/\/app.any.run\/tasks\/fa278d34-b6d1-4770-a135-9dfe8cf38827\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">analysis session from May 2025<\/a> spotted a malicious domain documentssagov[.]com that mimics SSA\u2019s website and prompts users to download a \u201cdocument\u201d. Typical social engineering tactics are engaged \u2014 urgency, fake branding, and download prompts.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"450\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-1024x450.png\" alt=\"\" class=\"wp-image-14079\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-1024x450.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-300x132.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-768x337.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-370x162.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-270x119.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-740x325.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea.png 1123w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>An executable disguised as a document urging to be opened<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"673\" height=\"334\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb.png\" alt=\"\" class=\"wp-image-14081\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb.png 673w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-300x149.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-370x184.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-270x134.png 270w\" sizes=\"(max-width: 673px) 100vw, 673px\" \/><figcaption class=\"wp-element-caption\"><em>Typical social engineering baits activated<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Instead of a document, an executable SSA_Document.exe is downloaded. On execution, the ScreenConnect remote administration tool is deployed \u2014 indicating an attempt to gain remote access. This activity has been detected via Suricata and mapped to MITRE ATT&amp;CK matrix.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"719\" height=\"535\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec.png\" alt=\"\" class=\"wp-image-14083\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec.png 719w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-300x223.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-370x275.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-270x201.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-80x60.png 80w\" sizes=\"(max-width: 719px) 100vw, 719px\" \/><figcaption class=\"wp-element-caption\"><em>Remote access software and connection to an unusual port detected<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">How to Find Similar Domains via ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>Besides researching threats targeting a specific agency, we can uncover a domain-based tactic that involves spoofing a government agency sector.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>We aim to identify which phishing domains are being used by malicious actors, how actively they are being exploited, and what techniques are employed to deliver malicious payloads \u2014 while also enriching our detection systems with new indicators.&nbsp;<\/p>\n\n\n\n<p>Suppose we are interested in current attacks targeting ministries of foreign affairs. Let\u2019s try to find potentially malicious domains that imitate the official websites of such organizations. Typically, these sites contain the abbreviation \u201cmofa\u201d (Ministry of Foreign Affairs) in their domain names.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522*mofa*%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*mofa*&#8221; AND threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"325\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged.png\" alt=\"\" class=\"wp-image-14085\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged.png 805w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-768x310.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-740x299.png 740w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><figcaption class=\"wp-element-caption\"><em>Search results of domains containing \u2013mofa-<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"174\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image.jpg\" alt=\"\" class=\"wp-image-14087\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image.jpg 816w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-300x64.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-768x164.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-370x79.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-270x58.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-740x158.jpg 740w\" sizes=\"(max-width: 816px) 100vw, 816px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analyses from the \u2013mofa- search results<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This TI Lookup search reveals 12 potentially malicious domains and 22 related analyses. Each analysis session contains IOCs, TTPs, domain interaction patterns, and data on malware distribution vectors. Such insights help understand phishing strategies, delivery mechanisms, and enrich detection systems with new indicators.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Malicious PDF Posing as a South African Judiciary Notice&nbsp;<\/h2>\n\n\n\n<p>Finally, let\u2019s put on the hat of a South African Judiciary body employee and imagine having received an email with a PDF document disguised as an urgent judicial notice. We upload the file to ANY.RUN\u2019s Interactive Sandbox and <a href=\"https:\/\/app.any.run\/tasks\/b2b39b9c-5506-4388-9210-fef0e6e1205c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">perform an analysis<\/a>. &nbsp;<br>&nbsp;<br>The document mimics a court summons allegedly sent to a company, urging the recipient to immediately review the case materials. A button labeled &#8220;PREVIEW YOUR SUMMON DOCUMENT HERE&#8221; leads to an external link likely hosting a malicious payload.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1001\" height=\"599\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1.png\" alt=\"\" class=\"wp-image-14121\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1.png 1001w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1-300x180.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1-768x460.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagee-1-740x443.png 740w\" sizes=\"(max-width: 1001px) 100vw, 1001px\" \/><figcaption class=\"wp-element-caption\"><em>Email with a malicious link instead of an official document<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is a classic example of social engineering, designed to create a sense of urgency and official pressure. The use of visual elements typical of government notifications increases the chances of recipient engagement. Such PDF files are often used to deliver and execute malicious code or as a trigger to redirect users to phishing sites.&nbsp;<\/p>\n\n\n\n<p>Upon opening the PDF, ANY.RUN flags the file as potentially phishing-related. It detects telltale signs, such as wording commonly used in phishing campaigns and embedded links. Quickly it becomes clear that the file is unsafe and likely part of an attack.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"192\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagef.png\" alt=\"\" class=\"wp-image-14091\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagef.png 735w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagef-300x78.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagef-370x97.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagef-270x71.png 270w\" sizes=\"(max-width: 735px) 100vw, 735px\" \/><figcaption class=\"wp-element-caption\"><em>The document instantly gets flagged as malicious<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"311\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10.png\" alt=\"\" class=\"wp-image-14093\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10.png 720w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-300x130.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-370x160.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-270x117.png 270w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><figcaption class=\"wp-element-caption\"><em>Suspicious attributes considered in detection<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Clicking the &#8220;PREVIEW YOUR SUMMON DOCUMENT HERE&#8221; button redirects the user to FloppyShare, from which a file named &#8220;SUMMON COURT DEMAND DOCUMENT.html&#8221; is automatically downloaded. When opened, this HTML document displays a fake Microsoft Office 365 Mail login form, prompting the victim to enter their credentials.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-1024x530.png\" alt=\"\" class=\"wp-image-14096\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-1024x530.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-768x397.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-370x191.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1-740x383.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-1.png 1119w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Microsoft authentication page ready to steal credentials<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This tactic is typical of credential-harvesting phishing attacks. The form visually mimics Microsoft\u2019s authentication page, increasing the likelihood that victims will input their login details.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to Find Similar Documents via ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>One effective approach is to extract embedded images from the PDF and search for their hashes in the ANY.RUN database. This helps identify similar samples, recurring templates, and visual elements used by attackers in social engineering campaigns. By doing so, we gain deeper insight into their tactics and uncover related malicious content.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1024x538.png\" alt=\"\" class=\"wp-image-14098\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-768x404.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-740x389.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12.png 1037w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>An image forms a phishing letter can be used for exposing more<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-1024x246.jpg\" alt=\"\" class=\"wp-image-14099\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-1024x246.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-300x72.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-768x184.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-370x89.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-270x65.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-740x178.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2.jpg 1038w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image identifiers including hashes in the Interactive Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s take the hash of one of the PDF\u2019s embedded images and perform a search via TI Lookup with a simple query: &nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktolookup#%7B%2522query%2522:%2522sha256:%255C%2522dfbbc198e7cb36ca31a5cb9dfd859955c4366b94f4a87c2a03102d60168eb74d%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">sha256:&#8221;dfbbc198e7cb36ca31a5cb9dfd859955c4366b94f4a87c2a03102d60168eb74d&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p>The results reveal 18 analyses featuring various PDF variants and payload delivery methods. Attackers disguise malicious pages as legitimate services and use different hosting platforms.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"541\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-1024x541.png\" alt=\"\" class=\"wp-image-14101\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-1024x541.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-768x406.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-1536x812.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-740x391.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13.png 1582w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>File names typical for phishing pseudo-official attachments<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The data from the samples can serve as indicators of compromise (IOCs) for malicious activity targeting a specific company or sector of interest.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary on the Cases&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u2019s capabilities enabled rapid threat detection and analysis:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TI Lookup:<\/strong> Provides detailed threat intelligence, including domain and IP reputation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>YARA Search: <\/strong>Identifies targeted phishing campaigns by filtering emails with specific recipient domains, yielding actionable IOCs and samples.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sandbox Analysis: <\/strong>Executes malicious files to observe behaviors, map MITRE ATT&amp;CK techniques, and detect network-based threats using Suricata rules.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The ability of these solutions to scale analysis and correlate threats across multiple incidents helps to build a comprehensive attack profile, critical for government cybersecurity strategies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations for Decision-Makers&nbsp;<\/h2>\n\n\n\n<p>For government cybersecurity leaders, we recommend to:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Adopt proactive threat hunting<\/strong>: Use ANY.RUN\u2019s YARA Search to monitor emails and files targeting agency domains, enabling early detection of phishing and malware campaigns.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Leverage real-time analysis<\/strong>: Employ ANY.RUN\u2019s Interactive Sandbox to analyze suspicious attachments and URLs, ensuring rapid identification of threats.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Use threat intelligence<\/strong>: Utilize TI Lookup to gather IOCs to block malicious IPs, domains, and URLs across agency networks.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Empower staff with phishing awareness<\/strong>: Educate employees on recognizing spoofed domains and suspicious attachments, using insights from ANY.RUN analyses.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Integrate with existing systems<\/strong>: Incorporate ANY.RUN&#8217;s <a href=\"https:\/\/intelligence.any.run\/feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktofeeds\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a> to automate threat detection.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>By providing real-time analysis, scalable threat hunting, and actionable intelligence, ANY.RUN empowers cybersecurity teams to protect critical infrastructure effectively. Implementing these recommendations will strengthen defenses, reduce response times, and mitigate risks posed by targeted cyber threats.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=government_investigations&amp;utm_term=040625&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get a 14-day trial of ANY.RUN\u2019s solutions<\/a>&nbsp;and see how much faster and deeper your threat investigations can be.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Government institutions worldwide face a growing number of sophisticated cyberattacks. This case study examines how ANY.RUN\u2019s solutions can be leveraged to detect, analyze, and mitigate cyber threats targeting government organizations.&nbsp; By analyzing real-world threats, we demonstrate how ANY.RUN\u2019s Threat Intelligence Lookup, Interactive Sandbox, and YARA Search assist cybersecurity teams in identifying attack vectors, tracking malicious [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14109,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-14055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cyber Attacks on Government Agencies: Detect and Investigate<\/title>\n<meta name=\"description\" content=\"Discover analysis of real-world cyber attacks on government organizations and see how ANY.RUN can help detect and investigate them.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"4OURUP\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\"},\"author\":{\"name\":\"4OURUP\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN\u00a0for Fast Response\",\"datePublished\":\"2025-06-04T11:24:38+00:00\",\"dateModified\":\"2025-06-17T12:34:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\"},\"wordCount\":1895,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\",\"name\":\"Cyber Attacks on Government Agencies: Detect and Investigate\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-06-04T11:24:38+00:00\",\"dateModified\":\"2025-06-17T12:34:05+00:00\",\"description\":\"Discover analysis of real-world cyber attacks on government organizations and see how ANY.RUN can help detect and investigate them.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN\u00a0for Fast Response\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"4OURUP\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"caption\":\"4OURUP\"},\"description\":\"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber Attacks on Government Agencies: Detect and Investigate","description":"Discover analysis of real-world cyber attacks on government organizations and see how ANY.RUN can help detect and investigate them.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/","twitter_misc":{"Written by":"4OURUP","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/"},"author":{"name":"4OURUP","@id":"https:\/\/any.run\/"},"headline":"Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN\u00a0for Fast Response","datePublished":"2025-06-04T11:24:38+00:00","dateModified":"2025-06-17T12:34:05+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/"},"wordCount":1895,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/","name":"Cyber Attacks on Government Agencies: Detect and Investigate","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-06-04T11:24:38+00:00","dateModified":"2025-06-17T12:34:05+00:00","description":"Discover analysis of real-world cyber attacks on government organizations and see how ANY.RUN can help detect and investigate them.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-investigate-government-cyber-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Cyber Attacks on Government Agencies: Detect and Investigate with ANY.RUN\u00a0for Fast Response"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"4OURUP","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","caption":"4OURUP"},"description":"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14055"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=14055"}],"version-history":[{"count":39,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14055\/revisions"}],"predecessor-version":[{"id":14316,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14055\/revisions\/14316"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/14109"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=14055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=14055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=14055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}