{"id":15944,"date":"2025-09-24T12:03:57","date_gmt":"2025-09-24T12:03:57","guid":{"rendered":"\/cybersecurity-blog\/?p=15944"},"modified":"2025-10-07T08:36:01","modified_gmt":"2025-10-07T08:36:01","slug":"fighting-telecom-attacks-with-anyrun","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/","title":{"rendered":"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies"},"content":{"rendered":"\n<p>Telecommunications companies are the digital arteries of modern civilization. Compromise a major telecom operator, and you don&#8217;t just steal data \u2014 you gain the power to intercept communications, manipulate network traffic, and bring entire regions offline.&nbsp;<br>&nbsp;<br>Every day, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktolanding\">ANY.RUN\u2019s solutions<\/a> process thousands of threat samples, and hidden within them are patterns of activity targeting telecom operators. Some are opportunistic, others are advanced and carefully orchestrated.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>In this report, we\u2019ll walk through real-world attacks where threat actors weaponized telecom brand trust to launch attacks. We\u2019ll also show how analysts can detect these threats, extract indicators of compromise (<a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a>), and strengthen defenses.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li><strong>Telecommunications under siege:<\/strong> The telecom sector faced sustained growth in malicious activity from May-July 2025, with 56% of observed APT campaigns targeting telecom and media companies.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul start=\"2\" class=\"wp-block-list\">\n<li><strong>Brand impersonation is weaponized trust:<\/strong> Attackers systematically abuse telecom brand recognition, using familiar logos, official-looking domains, and corporate communication styles to bypass human skepticism and technical filters.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul start=\"3\" class=\"wp-block-list\">\n<li><strong>Pattern recognition defeats mass campaigns<\/strong>: Simple YARA rules can expose large-scale operations.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul start=\"4\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA phishing kit<\/a> remains active: <\/strong>The phishing framework designed to steal Microsoft credentials and bypass two-factor authentication is a critical concern for enterprise telecom environments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul start=\"5\" class=\"wp-block-list\">\n<li><strong>Interactive Sandbox reveals multi-stage attack progression<\/strong>: <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a> captured the complete attack flow from the initial PDF attachment to the final phishing page. This real-time analysis exposed the redirection chain from legitimate-looking emails to DGA-generated domains (xjrsel.ywnhwmard[.]es), enabling early detection before credentials could be harvested.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul start=\"6\" class=\"wp-block-list\">\n<li><strong>Proactive hunting scales defense: <\/strong>Combining YARA Search with <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> transforms reactive incident response into proactive threat hunting, enabling security teams to build comprehensive defense before attacks succeed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Recent Telecom Attack Dynamics&nbsp;<\/h2>\n\n\n\n<p>Attacks on communication operators can disrupt critical services, lead to leaks of confidential information, and be used as a springboard for large-scale cyber espionage operations.&nbsp;<\/p>\n\n\n\n<p>According to Cyfirma, telecommunications and media industry were targeted in 9 out of 16 observed <a href=\"https:\/\/any.run\/cybersecurity-blog\/track-advanced-persistent-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">APT<\/a> campaigns in May\u2013July 2025, accounting for 56% of all cases. The peak activity occurred in May, followed by a slight decline in June and a renewed increase in July.&nbsp;<\/p>\n\n\n\n<p>We at ANY.RUN have observed a steady increase in telecom-targeting attacks in May\u2013July 2025. The Sandbox data shows a smoother continuous growth, reaching a maximum in July. This reflects the constant pressure of mass attacks.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"946\" height=\"255\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3.png\" alt=\"\" class=\"wp-image-15950\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3.png 946w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3-300x81.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3-768x207.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3-370x100.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3-270x73.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image3-3-740x199.png 740w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s data shows steady growth of telecom attacks<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In our <a href=\"https:\/\/intelligence.any.run\/reports\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Reports<\/a> highlighting the activity of top APT groups, we also see an increased targeting of media and telecom campaigns in the recent attacks. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis of Threats Targeting a Major Telecom Holding&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take the perspective of an information security specialist at a huge British telecommunications holding company operating in approximately 180 countries and providing fixed-line, broadband internet, mobile communications, and pay-TV services.&nbsp;<\/p>\n\n\n\n<p>Our goal is to determine how attackers spread malware, which families they use, which indicators can be collected, and the frequency, dynamics, and technical details of the attacks.&nbsp; &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-1024x534.png\" alt=\"\" class=\"wp-image-15971\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-1024x534.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-300x156.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee-740x386.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagee.png 1482w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The results of a YARA rule scan<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We will start with <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>, which allows SOC teams to navigate a database of live attack data from 15,000 organizations. Using TI Lookup\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-rules-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA<\/a> Search, we can create a simple rule to find all emails uploaded into the sandbox where the recipient field contains the holding\u2019s domain. This allows us to identify malicious attachments and links aimed at its employees.\u00a0<\/p>\n\n\n\n<p>As a result of executing the YARA rule, dozens of files were discovered containing addresses with the corporation&#8217;s domain in the recipient field. Each of these files was linked to one or more analyses in ANY.RUN\u2019s Sandbox, which also featured this domain, confirming the presence of potentially significant malicious activity directed at company employees.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCatch attacks early with instant IOC enrichment in <span class=\"highlight\">TI Lookup<\/span><br>Power your proactive defense with data from 15K SOCs&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/plans-ti?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=telecom_attacks&#038;utm_term=240925&#038;utm_content=linktotiplans#contact-sales\" target=\"_blank\" rel=\"noopener\">\nRequest trial for your team\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox <\/a>allows security analysts to safely execute suspicious files and observe their behavior in real-time, capturing network communications, file modifications, and malicious redirections before they can impact production systems. This controlled environment reveals attack chains from initial email delivery through credential harvesting attempts.<\/p>\n\n\n\n<p>Let us analyze one of the found emails.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/6f3edd8f-2dca-4d7c-857e-f9109102a6c6\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis of the malicious email<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"518\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-1024x518.png\" alt=\"\" class=\"wp-image-15962\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-1024x518.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-300x152.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-768x389.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-1536x778.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-370x187.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-270x137.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1-740x375.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagef-1.png 1768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A phishing email sample detonated in ANY.RUN\u2019s Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">A Phishing Message Through a SOC Analyst Lens&nbsp;<\/h3>\n\n\n\n<p>On July 9, 2025, an email addressed to giova[xx.xx]stantini@[thedomain dot]com was uploaded to ANY.RUN. The sender was listed as Bt_Bt_xu86@ksi.com.pk with the display name \u201cDocSgn.\u201d The domain ksi[.]com[.]pk belongs to Khatib Sons International, a Pakistani metal company, and has no relation to the email content. Coupled with the \u201cDocSgn\u201d branding, this impersonated a well-known electronic document signature service to trick the recipient.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/6f3edd8f-2dca-4d7c-857e-f9109102a6c6\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis of the email<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"629\" height=\"429\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image10-2.png\" alt=\"\" class=\"wp-image-15964\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image10-2.png 629w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image10-2-300x205.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image10-2-370x252.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image10-2-270x184.png 270w\" sizes=\"(max-width: 629px) 100vw, 629px\" \/><figcaption class=\"wp-element-caption\"><em>A phishing email with characteristic sender and subject<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The subject line \u2014 \u201cRe: Re: Completed: For Sales contract (h4nc)\u201d \u2014 mimicked an ongoing conversation, a common social engineering tactic to reduce suspicion.&nbsp;<\/p>\n\n\n\n<p>The email contained a PDF attachment and a form with a \u201cReview and Sign\u201d button in the body, luring the recipient to view and sign a supposed document.&nbsp;<\/p>\n\n\n\n<p>Additionally, at least five similar emails were detected targeting other employees, with generic content not tailored to specific recipients \u2014 indicating a mass campaign.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"534\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1.png\" alt=\"\" class=\"wp-image-15958\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1.png 936w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1-768x438.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image11-1-740x422.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\"><em>The redirect to a generated domain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Clicking the \u201cReview and Sign\u201d button redirected the user to a fake Microsoft login page hosted on xjrsel.ywnhwmard[.]es, a domain resembling a DGA-generated address, a common indicator of phishing or malicious resources.&nbsp;<\/p>\n\n\n\n<p>This threat was identified as the <a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA phishing kit<\/a>, known for spoofing Microsoft login pages and harvesting credentials.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce MTTR <\/span>and<span class=\"highlight\"> minimize risks<\/span> with ANY.RUN\u2019s solutions<br>Request a quote or trial for your SOC &nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=telecom_attacks&#038;utm_term=240925&#038;utm_content=linktocontactus#contact-sales\" target=\"_blank\" rel=\"noopener\">\nContact us\n<\/a>\n<!-- CTA Link -->\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n.regular-banner__link:hover {\nbackground-color: #FFFFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Network-Level Detection&nbsp;<\/h3>\n\n\n\n<p>Suricata rules triggered on network activity associated with the Tycoon2FA kit. The alerts provided details such as MITRE ATT&amp;CK technique T1566 (Phishing), the suspicious DGA-like domain, and connection metadata.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1.png\" alt=\"\" class=\"wp-image-15974\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1.png 936w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1-768x446.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image8-1-740x430.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule with domain and telemetry data detected in the sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>That\u2019s exactly how ANY.RUN\u2019s solutions help detect threats early, exposing phishing attempts before they do damage. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Searching for Similar Threats Targeting UK Companies&nbsp;<\/h2>\n\n\n\n<p>Using ANY.RUN\u2019s Threat Intelligence Lookup, we\u2019ve searched for samples uploaded from the UK containing the same PDF attachment. The query returned about 40 sandbox analyses, mostly from July 2025, including emails targeting a number of UK companies.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522sha256:%255C%2522689cdb319d8cae155516d9f8ddfbd0c99de048252e84f529e0ccc538523a5eba%255C%2522%2520and%2520submissionCountry:%255C%2522GB%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">sha256:&#8221;689cdb319d8cae155516d9f8ddfbd0c99de048252e84f529e0ccc538523a5eba&#8221; and submissionCountry:&#8221;GB&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-1024x547.png\" alt=\"\" class=\"wp-image-15977\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-1024x547.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-768x410.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1-740x395.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image9-1.png 1335w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>File hash TI Lookup search results<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We\u2019ve also identified repeating sender address patterns across multiple phishing emails, indicating automated mass distribution.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Sorting Out Emails with Specific Sender Pattern&nbsp;<\/h3>\n\n\n\n<p>Many malicious emails sent to telecom companies have fixed patterns for forming sender addresses in the From field. The structure looks as follows:&nbsp;<\/p>\n\n\n\n<p>\u201c._*\u201d &lt;*_*_*@*.com&gt;&nbsp;<\/p>\n\n\n\n<p>The display name usually began with \u201c._\u201d followed by a word in capital letters. The email address repeated a word twice, separated by underscores, followed by random characters before the @, and ending in .com.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"625\" height=\"210\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image12.png\" alt=\"\" class=\"wp-image-15979\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image12.png 625w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image12-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image12-370x124.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image12-270x91.png 270w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><figcaption class=\"wp-element-caption\"><em>Email with sender name generated with a specific pattern<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This structure strongly suggests automated mass phishing.&nbsp;<br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"631\" height=\"191\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image13.png\" alt=\"\" class=\"wp-image-15980\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image13.png 631w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image13-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image13-370x112.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image13-270x82.png 270w\" sizes=\"(max-width: 631px) 100vw, 631px\" \/><figcaption class=\"wp-element-caption\"><em>Email with characteristic sender name from another campaign<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Such a pattern is highly likely created automatically for mass mailings, so it can be used as a basis for a filtering rule that blocks similar emails.&nbsp;<\/p>\n\n\n\n<p>A YARA rule was created to detect such emails in ANY.RUN\u2019s database of malware samples. The rule revealed 16 files with the sender pattern, linked to multiple sandbox analyses. From these, we can extract senders\u2019 addresses, email and attachment hashes, URLs, phishing domains, IPs, subjects, and other indicators.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-1024x502.png\" alt=\"\" class=\"wp-image-15952\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-1024x502.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-300x147.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-768x377.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-370x182.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-270x132.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec-740x363.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imagec.png 1325w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>YARA rule for searching emails with the sender pattern<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This data allows analysts to assess the relevance of the threat, determine its timeframe and target organizations and countries. Based on this, you can prioritize this threat for your company and add indicators to the detection and response systems.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tracking Telecom Impersonation Attacks&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s build a threat landscape where attackers use domains containing the element &#8220;telecom&#8221; in their names. We are interested in cases where such activity is classified as phishing to assess the scale, frequency, and targets of these attacks. <\/p>\n\n\n\n<p>The search returned 86 analysis sessions, 70 related domains, and enriched context data such as headers, attachments, network artifacts, timelines, and submission geographies.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522*telecom*%255C%2522%2520AND%2520threatName:%255C%2522phishing%255C%2522%2520and%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;<em>telecom<\/em>&#8221; AND threatName:&#8221;phishing&#8221; and threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-1024x523.png\" alt=\"\" class=\"wp-image-15982\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-1024x523.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged-740x378.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/imaged.png 1321w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search for malware samples featuring domains with \u201ctelecom\u201d in name<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>These insights allow security teams to enrich TI sources, prioritize threats, identify campaign clusters, track temporal dynamics, update detection rules, and map related infrastructure.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How ANY.RUN Helps Telecom Companies Withstand the Growing Pressure of Phishing Attacks&nbsp;<\/h2>\n\n\n\n<p>Telecom companies are under constant fire from phishing campaigns that combine brand impersonation, malicious attachments, and fake domains. While attackers automate and scale their operations, security teams often struggle to keep up. ANY.RUN\u2019s ecosystem of services provides telecom defenders with the tools to detect, investigate, and respond to these threats more effectively:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Interactive Sandbox<\/strong>&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"494\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-1024x494.png\" alt=\"\" class=\"wp-image-15983\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-1024x494.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-300x145.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-768x371.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-1536x741.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-370x179.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-270x130.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14-740x357.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image14.png 1823w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Set up your virtual environment and run safe malware analysis in the Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Quickly detonate suspicious emails, attachments, or links in a <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">safe, interactive environment<\/a>. Observe behavior in real time, identify phishing kits like Tycoon2FA, and capture artifacts such as malicious redirects, domains, or dropped files.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Threat Intelligence Feeds<\/strong>&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"364\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6.png\" alt=\"\" class=\"wp-image-15946\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6-768x310.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image-6-740x299.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>TI Feeds: get real-time indicators from 15K SOC incident investigations<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Get continuously updated, actionable indicators of compromise (IOCs) drawn from global malware submissions. Telecom SOCs can integrate <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a> directly into SIEM or EDR systems to block known phishing infrastructure before it reaches employees or customers.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Threat Intelligence Lookup<\/strong>&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-1024x523.png\" alt=\"\" class=\"wp-image-15987\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-1024x523.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-1536x784.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1-740x378.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/image16-1.png 1763w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Click the search bar and use tips on parameters and operators to look up IOCs and TTPs<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Go beyond single-sample analysis by exploring related campaigns. With <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>, analysts can pivot on domains, file hashes, or sender patterns to uncover broader phishing clusters targeting telecom brands. This makes it easier to map attacker infrastructure, understand campaign scope, and strengthen detection rules.&nbsp;<\/p>\n\n\n\n<p>By combining these services, telecom companies gain both the depth to analyze individual phishing attempts and the breadth to track large-scale campaigns. This layered approach enables faster detection, better prioritization, and ultimately stronger resilience against persistent phishing pressure.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The analysis confirms that phishing attacks against telecom companies&#8217; employees remain highly relevant, often used to steal credentials and bypass 2FA.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN\u2019s TI Lookup and YARA Search allow analysts to research the attacks and the employed malware, find samples linked to a targeted company\u2019s email addresses, and expose domains utilized for phishing. Security teams are able to gather valuable indicators (hashes, domains, IPs, headers) to enrich internal threat intelligence sources.&nbsp;<\/p>\n\n\n\n<p>Pattern-based detection methods tailored to telecom-sector targeting can help identify new campaigns faster and reduce organizational risk.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p>Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Speed up triage and response: Detonate suspicious files using ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> to observe malicious behavior in real time and collect insights for faster and more confident security decisions.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Improve threat detection: ANY.RUN\u2019s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a> provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=telecom_attacks&amp;utm_term=240925&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Start 14-day trial of ANY.RUN\u2019s solutions in your SOC today<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Telecommunications companies are the digital arteries of modern civilization. Compromise a major telecom operator, and you don&#8217;t just steal data \u2014 you gain the power to intercept communications, manipulate network traffic, and bring entire regions offline.&nbsp;&nbsp;Every day, ANY.RUN\u2019s solutions process thousands of threat samples, and hidden within them are patterns of activity targeting telecom operators. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16004,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-15944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn how to use ANY.RUN\u2019s Sandbox and Threat Intelligence Lookup for analyzing and countering attacks targeting telecom companies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"4OURUP\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\"},\"author\":{\"name\":\"4OURUP\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies\",\"datePublished\":\"2025-09-24T12:03:57+00:00\",\"dateModified\":\"2025-10-07T08:36:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\"},\"wordCount\":1979,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\",\"name\":\"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-09-24T12:03:57+00:00\",\"dateModified\":\"2025-10-07T08:36:01+00:00\",\"description\":\"Learn how to use ANY.RUN\u2019s Sandbox and Threat Intelligence Lookup for analyzing and countering attacks targeting telecom companies.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"4OURUP\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg\",\"caption\":\"4OURUP\"},\"description\":\"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn how to use ANY.RUN\u2019s Sandbox and Threat Intelligence Lookup for analyzing and countering attacks targeting telecom companies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/","twitter_misc":{"Written by":"4OURUP","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/"},"author":{"name":"4OURUP","@id":"https:\/\/any.run\/"},"headline":"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies","datePublished":"2025-09-24T12:03:57+00:00","dateModified":"2025-10-07T08:36:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/"},"wordCount":1979,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/","url":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/","name":"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-09-24T12:03:57+00:00","dateModified":"2025-10-07T08:36:01+00:00","description":"Learn how to use ANY.RUN\u2019s Sandbox and Threat Intelligence Lookup for analyzing and countering attacks targeting telecom companies.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/fighting-telecom-attacks-with-anyrun\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"4OURUP","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up.jpg","caption":"4OURUP"},"description":"I research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one step ahead of adversaries.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15944"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=15944"}],"version-history":[{"count":42,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15944\/revisions"}],"predecessor-version":[{"id":16242,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15944\/revisions\/16242"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/16004"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=15944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=15944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=15944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}