{"id":16243,"date":"2025-10-07T12:55:48","date_gmt":"2025-10-07T12:55:48","guid":{"rendered":"\/cybersecurity-blog\/?p=16243"},"modified":"2026-02-26T12:56:26","modified_gmt":"2026-02-26T12:56:26","slug":"osint-in-threat-intelligence-lookup","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/","title":{"rendered":"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note:\u00a0The current article is authored by Clandestine, threat researcher and threat hunter. You can\u00a0<\/em><\/strong><a href=\"https:\/\/x.com\/akaclandestine\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Clandestine on X<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>\u00a0<\/p>\n\n\n\n<p>ANY.RUN\u2019s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence (TI) Lookup<\/a> is a powerful service for Open Source Intelligence (OSINT) and Threat Intelligence investigations. In this research, we shall analyze 5 specific queries, each targeting different aspects of the threat landscape, to better understand the nature of modern threats as well as defense and response strategies.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Findings&nbsp;<\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>JA3S Fingerprinting<\/strong> underscores the value of behavioral indicators in hunting advanced threats allowing analysts to track Command and Control infrastructure even when attackers rotate IP addresses and domains\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Massive abuse of legitimate infrastructure<\/strong> (AWS, Google Cloud, Cloudflare, Microsoft services) complicates detection, as malicious traffic blends with legitimate services.\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Locally targeted phishing operations<\/strong> demonstrate that attackers tailor their strategies by geography. This highlights the importance of localized cyber threat intelligence.\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>By <strong>combining sandbox detonation with TI Lookup queries<\/strong>, analysts uncover trojan traffic disguised within HTTPS (port 443). This methodology proves the benefit of correlating behavioral analysis with IOC-based searches.\u00a0<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>The <strong>.top domain extension<\/strong> serves as a thriving ecosystem for cybercrime, with randomly-generated DGA domains used for malware delivery, often leveraging WinRAR for payload extraction.\u00a0<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Exploring Beyond IOCs: Malicious Pattern Case Studies&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence (TI) Lookup<\/a> is a dynamic, searchable database that equips security analysts with immediate access to over 50 million Indicators of <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">Compromise (IOCs), Behavior (IOBs), and Attack (IOAs)<\/a> and threat events extracted from real-time malware sandbox analyses conducted by a global community of over 500,000 analysts and 15,000 companies.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Tailored for threat hunting, alert triage, and incident response, it allows analysts to query the database using more than 40 parameters \u2013 including hashes, IPs, registry keys, processes, and TTPs. It supports search operators, wildcards, YARA and Suricata rules, and notifies on updates on saved searches.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Let\u2019s see how analysts can use it as part of their OSINT investigation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 1: Investigating Regionalized Phishing Campaigns&nbsp;<\/h3>\n\n\n\n<p><strong>Query<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522threatName:%255C%2522Phishing%255C%2522%2520AND%2520submissionCountry:%255C%2522br%255C%2522%2520and%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;Phishing&#8221; AND submissionCountry:&#8221;br&#8221; and domainName:&#8221;&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"560\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-1024x560.png\" alt=\"\" class=\"wp-image-16247\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-1024x560.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-300x164.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-768x420.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-1536x840.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-370x202.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9-740x405.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image9.png 1844w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Examples of phishing encountered by Brazilian users<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>We can start by checking for active phishing campaigns targeting organizations in our region. Even with a <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-lookup-new-plan\/\" target=\"_blank\" rel=\"noreferrer noopener\">free plan<\/a>, TI Lookup provides us with lots of sandbox analyses of the latest malicious domains and emails sent to companies in Brazil. &nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEnrich alerts and detection rules with actionable threat intel<br>\nTriage threats faster, respond to incidents <span class=\"highlight\">with confidence<\/span> &nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=guest_osint&#038;utm_term=071025&#038;utm_content=linktotilookup\" target=\"_blank\" rel=\"noopener\">\nTry TI Lookup \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n.regular-banner__link:hover {\nbackground-color: #FFFFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"588\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-1024x588.png\" alt=\"\" class=\"wp-image-16248\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-1024x588.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-768x441.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-1536x882.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea-740x425.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/imagea.png 1833w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Network infrastructure related to phishing attacks on Brazilian users<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>We can also observe legitimate infrastructure abuse as a number of known service subdomains are linked to the campaigns along with malicious domains. Globally hosted infrastructure is leveraged to hinder takedown.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Actionable Intelligence:<\/strong> Organizations in Brazil should be especially alert to emails containing links to subdomains of popular services. Security teams can use the identified domains and IPs to create proactive defense using detection and blocking rules.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 2: Tracking C2 Infrastructure with JA3S&nbsp;<\/h3>\n\n\n\n<p><strong>Query<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522ja3s:%255C%25221af33e1657631357c7311948804530%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">ja3s:&#8221;1af33e1657631357c73119488045302c&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-1024x584.png\" alt=\"\" class=\"wp-image-16249\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-1024x584.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-768x438.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1-740x422.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1.png 1470w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search by a single connection parameter reveals a malicious pattern<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>The JA3S hash is a fingerprint of how a TLS client communicates. Different malware or attack tools may have unique JA3S signatures, allowing analysts to track their Command and Control (C2) infrastructure even when IP addresses and domains change. Hash &#8220;1af33e1657631357c73119488045302c&#8221; is commonly associated with Cobalt Strike.\u00a0\u00a0<\/p>\n\n\n\n<p>What do we capture from the search results?&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1,000+ system events mostly involving slui.exe (System License User Interface), svchost.exe, and PowerShell.\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Predominant communication on port 443 (HTTPS) exposes evasion techniques exploiting LOLBins.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abuse of major cloud providers to host C2 infrastructure (Microsoft, GitHub, Google, Amazon, CloudFlare).\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Techniques: Use of legitimate system tools for malicious execution.\u00a0<\/li>\n<\/ul>\n\n\n\n<p><strong>Actionable Intelligence<\/strong>: Detection of this JA3S hash on the network is a strong indicator of Cobalt Strike infection or an abuse of a similar tool. Security teams should correlate these alerts with other endpoint and network events to identify compromised systems and initiate incident response.&nbsp;<\/p>\n\n\n\n<p>TI Lookup\u2019s \u201cAnalyses\u201d tab contains links to <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox<\/a> analyses of malware samples featuring the hash in question. We can sort out samples tagged as \u201cmalicious\u201d and study various attack scenarios leveraging similar TTPs:&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-1024x571.png\" alt=\"\" class=\"wp-image-16250\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-1024x571.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1-740x412.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1.png 1482w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sort out malware samples to observe the same pattern in different attacks<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>For example, <a href=\"https:\/\/app.any.run\/tasks\/83c1476f-966f-481a-a3ab-c89ba048db1f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">one can view<\/a> a <a href=\"https:\/\/any.run\/malware-trends\/cerber\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cerber ransomware<\/a> attack and see how it abuses system tools and cloud services.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"515\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-1024x515.png\" alt=\"\" class=\"wp-image-16257\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-1024x515.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-300x151.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-768x387.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-1536x773.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-270x136.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1-740x373.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1.png 1768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A Sandbox analysis session of a ransomware sample<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Case 3: Hunting Trojan Traffic Camouflaged in HTTPS&nbsp;<\/h3>\n\n\n\n<p><strong>Query<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522destinationIPgeo:%255C%2522ru%255C%2522%2520AND%2520suricataClass:%255C%2522trojan%255C%2522%2520AND%2520destinationPort:%255C%2522443%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIPgeo:&#8221;ru&#8221; AND suricataClass:&#8221;trojan&#8221; AND destinationPort:&#8221;443&#8243;<\/a>&nbsp;<\/p>\n\n\n\n<p>This query is a classic example of threat hunting. It doesn&#8217;t look up a specific IOC but rather searches for a suspicious behavior pattern: traffic classified as trojan by the Suricata engine, destined for IPs in Russia and using port 443 (HTTPS).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-1024x622.png\" alt=\"\" class=\"wp-image-16251\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5.png 1470w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Gather IOCs and observe 443 port exploited in a single lookup<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Russia is generally a suspicious communication destination, and port 443 is used to camouflage malicious traffic. The attack strategy includes threat diversity: multiple services and legitimate domains are abused; various ports are employed for communication and fallback. <\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Cut<\/span> MTTR, <span class=\"highlight\">beat <\/span>alert fatigue, and <span class=\"highlight\">boost <\/span>performance\u00a0<\/br> Using actionable threat intelligence from 15K SOCs\u00a0&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/plans-ti\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=guest_osint&#038;utm_term=071025&#038;utm_content=linktoticontactsales#contact-sales\" target=\"_blank\" rel=\"noopener\">\nRequest trial\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n.regular-banner__link:hover {\nbackground-color: #FFFFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>\u00a0<br><strong>Actionable Intelligence<\/strong>: This query provides a list of high-risk IPs and domains for enriching perimeter defenses. The combination of destination geolocation, threat classification, and communication port is a powerful hunting methodology.\u00a0<\/p>\n\n\n\n<p>TI Lookup has found a number of analysis sessions demonstrating this behavior pattern. &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/e63bad1c-679e-497b-aafc-ef92865ab84b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View an example in the Sandbox<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"511\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-1024x511.png\" alt=\"\" class=\"wp-image-16252\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-1024x511.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-768x383.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-1536x767.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-740x369.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6.png 1763w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Remote Access Trojan\u2019s attack chain and TTPs mapped in a Sandbox analysis<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Case 4: Unmasking BEC Campaigns Focused on Invoices\u00a0<\/h3>\n\n\n\n<p><strong>Query<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522filePath:%255C%2522invoice.pdf%255C%2522%2520OR%2520filePath:%255C%2522pagamento.pdf%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;invoice.pdf&#8221; OR filePath:&#8221;pagamento.pdf&#8221;<\/a>\u00a0<br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-1024x578.png\" alt=\"\" class=\"wp-image-16253\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7.png 1477w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Files spotted in phishing campaigns with fake financial documents<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Business Email Compromise (BEC) frauds continue to be one of the most lucrative threats. This query searches for PDF files containing the words &#8220;invoice&#8221; or &#8220;pagamento&#8221; (payment) in their name, an extremely common infection vector in BEC schemes.&nbsp;<\/p>\n\n\n\n<p>The malicious files are often hosted on Amazon S3 Buckets and named to appear legitimate. Exploring such attacks delivers file hashes to use as IOCs for detection. &nbsp;<br>&nbsp;<br><strong>Actionable Intelligence<\/strong>: Organizations should implement email attachment verification and educate employees about fake invoice risks. The IOCs should be added to block lists, and monitoring downloads from unknown S3 buckets can be effective.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 5: Identifying Malicious Activity Hotspots with TLDs\u00a0\u00a0<\/h3>\n\n\n\n<p>Query: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522*.top%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*.top&#8221; AND threatLevel:&#8221;malicious&#8221;<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"634\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-1024x634.png\" alt=\"\" class=\"wp-image-16254\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-1024x634.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-300x186.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-768x476.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-370x229.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-270x167.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8-740x458.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image8.png 1472w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious domains and linked IOCs must be gathered for detection\/response<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>Certain Top-Level Domains (TLDs) are notoriously abused by cybercriminals due to low cost and loose regulation. The .top TLD is one of these. This query searches for all domains ending in .top that have been classified as malicious.&nbsp;<\/p>\n\n\n\n<p>Such domains, mostly generated by algorithms, support a thriving ecosystem for malicious activities. They are often used for delivering payload packed in WinRAR archives. Cloudflare services are engaged for concealing true server locations.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Actionable Intelligence<\/strong>: Aware of extremely high malicious activity volume, many organizations block the .top TLD completely. The appearances of .top domains in network logs should be treated as high-priority events.&nbsp;<br>&nbsp;<br>Alltogether, these searches provide insight into the broader threat landscape and recent query patterns, showing the diversity of investigation approaches used in threat hunting. Threat intelligence lookups can be focused on a topical threat type (for example, phishing), legitimate tools abuse, registry modifications: queries can target both IOCs and behavioral patterns.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons Learned: Security Recommendations&nbsp;<\/h2>\n\n\n\n<p>Here\u2019s how SOC teams and threat hunters can perform an effective OSINT investigation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">For Analysts&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implement multi-parameter hunting queries<\/strong> combining JA3S fingerprints, destination geolocation, and Suricata classifications rather than relying solely on hash or domain lookups.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Create detection rules<\/strong> for the identified JA3S hash and monitor for similar TLS fingerprinting patterns indicating Cobalt Strike or similar frameworks.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor for traffic<\/strong> to non-standard ports and HTTPS-based C2 activity; correlate with TI Lookup results for stronger detection.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Integrate sandbox detonations<\/strong> into investigations to validate suspicious files, uncover hidden payloads, and gather fresh IOCs.\u00a0<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;For SOC and MSSP Leaders&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adopt proactive hunting playbooks<\/strong> that leverage behavior-based patterns (e.g., phishing, malicious PDFs, LOLBins) instead of relying solely on static IOCs.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automate ingestion of ANY.RUN TI Feeds and Lookup results<\/strong> into SIEM\/SOAR platforms to strengthen correlation and reduce analyst workload.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Establish rules and alerts<\/strong> around high-risk TLDs (.top, .shop, .cc) and cloud-hosted infrastructures commonly abused by attackers.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adopt a Zero Trust security model<\/strong>: The extensive abuse of trusted infrastructure (Microsoft, Google, Amazon domains) demonstrates that brand reputation no longer guarantees safety\u00a0<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;For Business Decision Makers&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Support employee awareness campaigns<\/strong>, especially for financial teams, to counter phishing and BEC attempts.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Recognize that cloud service abuse is now the norm<\/strong> in modern campaigns, so budgeting for advanced detection and monitoring is critical to maintaining resilience.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Budget for cyber threat intelligence solutions<\/strong> that provide both sandboxing and lookup capabilities\u2014the ROI comes from preventing successful breaches through proactive threat hunting rather than reactive incident response.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>This investigation highlights how modern cyber threats are increasingly sophisticated, regionalized, and reliant on abusing legitimate infrastructure to evade detection. Static IOCs alone are insufficient for defense. Security teams must embrace behavior-based detection and proactive hunting strategies.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN\u2019s TI Lookup and Sandbox provide the intelligence depth and investigative flexibility needed to uncover hidden connections, expose attacker TTPs, and accelerate incident response. Organizations that combine advanced threat intelligence solutions with strong security culture and well-trained teams will be better positioned to withstand evolving threats and reduce the cost and impact of cyber incidents.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> to streamline malware investigations worldwide.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Speed up triage and response by detonating suspicious files in ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktofeeds\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=guest_osint&amp;utm_term=071025&amp;utm_content=linktoenterpriseform#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Explore more ANY.RUN\u2019s capabilities during 14-day trial\u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:\u00a0The current article is authored by Clandestine, threat researcher and threat hunter. You can\u00a0find Clandestine on X.\u00a0 ANY.RUN\u2019s Threat Intelligence (TI) Lookup is a powerful service for Open Source Intelligence (OSINT) and Threat Intelligence investigations. In this research, we shall analyze 5 specific queries, each targeting different aspects of the threat landscape, to better [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16244,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-16243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"A comprehensive guide to using OSINT tools and frameworks for proactive threat hunting. Learn the steps of an OSINT investigation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Clandestine\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\"},\"author\":{\"name\":\"Clandestine\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0\",\"datePublished\":\"2025-10-07T12:55:48+00:00\",\"dateModified\":\"2026-02-26T12:56:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\"},\"wordCount\":1715,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\",\"name\":\"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-10-07T12:55:48+00:00\",\"dateModified\":\"2026-02-26T12:56:26+00:00\",\"description\":\"A comprehensive guide to using OSINT tools and frameworks for proactive threat hunting. Learn the steps of an OSINT investigation.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Clandestine\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg\",\"caption\":\"Clandestine\"},\"description\":\"Threat Research and Threat Hunter Follow me on X\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"A comprehensive guide to using OSINT tools and frameworks for proactive threat hunting. Learn the steps of an OSINT investigation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/","twitter_misc":{"Written by":"Clandestine","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/"},"author":{"name":"Clandestine","@id":"https:\/\/any.run\/"},"headline":"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0","datePublished":"2025-10-07T12:55:48+00:00","dateModified":"2026-02-26T12:56:26+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/"},"wordCount":1715,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/","url":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/","name":"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-10-07T12:55:48+00:00","dateModified":"2026-02-26T12:56:26+00:00","description":"A comprehensive guide to using OSINT tools and frameworks for proactive threat hunting. Learn the steps of an OSINT investigation.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/osint-in-threat-intelligence-lookup\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Phishing, Cloud Abuse, and Evasion: Advanced OSINT Investigation with ANY.RUN Threat Intelligence\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Clandestine","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg","caption":"Clandestine"},"description":"Threat Research and Threat Hunter Follow me on X","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16243"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=16243"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16243\/revisions"}],"predecessor-version":[{"id":16266,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16243\/revisions\/16266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/16244"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=16243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=16243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=16243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}